FIDO’s Passwordless Sign-Ins

In early May 2022, Google, Apple, and Microsoft announced plans to support a common passwordless sign-in standard created by the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium. Moving away from passwords is something CyberHoot has also embraced. We forgo a Password login, to a special link being sent to your email (somewhere you log into each day).

Why Make This Change?

Going passwordless will allow organizations to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms. FIDO says:

“The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.”

It is well known in the cybersecurity industry that password-only authentication can be a large security risk to individuals and companies. For end-users, managing so many passwords with so many different sites can be nearly impossible. It most often results in the reuse of the same password across multiple accounts (which is why CyberHoot recommends using Password Managers).

FIDO noted that password managers and Two-Factor Authentication (2FA) work well, but there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure. CyberHoot often witnesses that many fail to set up strong passwords for their Password Managers or users forget or refuse to enable 2FA on critical accounts because they think it’s inconvenient. So this FIDO initiative could be a boon to overall SMB cybersecurity. 

How Will It Work?

FIDO announced that this new passwordless tool will provide the following capabilities in the future: 

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

While it would be awesome to have one “passkey” as described above, we may still be years away from this becoming a common thing. Craig Lurey, CTO and Co-Founder of Keeper Security, discusses challenges with adoption:

The slow adoption of multi-factor authentication by businesses and consumers—despite MFA being a practical and highly effective way to protect end users from breaches due to credential theft—is a good indicator of the possible adoption timeframe for passwordless tech.

First, vendors have to build the technology into their websites and applications, and then, end users have to be educated about the technology and come to trust and adopt it. Note that this includes users becoming accustomed to relying on their mobile devices. 

Between both organizational and consumer adoption, it may take many years until passwordless tech is widespread. Bottom line: We’ll still be using passwords for at least another decade. Single-factor, passwordless login has too many functional, logistical and security issues to become the norm overnight.

What Does This Mean For Your SMB or MSP?

This means that you should continue following CyberHoot’s recommendations regarding cybersecurity and authentication processes until the passwordless option is available and well-tested. Until then, require 14 character, non-complex, and non-expiring passwords, stored in a password manager. To this, you want to add multi-factor authentication (MFA) to all critical accounts. Train employees on the merits of strong password hygiene and their password manager. It’s that easy. Beyond passwords, CyberHoot recommends the following minimum essential cybersecurity recommendations. 

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.