How FIDO's approach to authentication reveals a confusion between identity and access
The Fast Identity Online (FIDO) Alliance -- a group of technology companies including Apple, Google and Microsoft -- recently announced its commitment to supporting passwordless authentication across its products. FIDO’s plans have been in place for nearly a decade and work started long ago on a system that lets users log in to their online accounts without a password but instead with a PIN, biometric, iris scan or with voice recognition.
FIDO’s approach is expected to be implemented across Apple, Google and Microsoft platforms later this year and FIDO believes this will provide better protection over legacy multi-factor authentication and better protection against malicious phishing attacks.
Instead of having users remember passwords, FIDO proposes that passwords are stored on devices or the operating system’s associated cloud sync service. A device such as a phone becomes the access point, and access is authenticated via inputting your phone’s PIN or by using fingerprint or face identification.
In theory, this would reduce the reliance on passwords and give users a way of keeping their credentials to hand as they move from device to device. In practice, the longing for convenience and ease of access has pushed security to the side and could leave users’ vital data vulnerable to threat actors.
Identity versus Access
FIDO’s approach to passwords, while convenient, first reveals a dangerous confusion between access and identity. Contrary to popular belief, the two are not interchangeable. Identities are fixed while access keys are changeable. In the physical world, we use them for different needs.
Your identity is used to identify yourself, for example when you cross a country border, when you need to prove you have the legal rights to live in a country or to live in a house. Your legal identity is fixed and doesn’t change when you change job or country. Your identity is unique.
Access, on the other hand, is granted by an authority such as a company or a landlord, to allow certain people to enter certain places. Access is usually granted by giving someone a key, keys don’t depend on people’s identity. For example, when you go home, your door doesn’t look at you, recognize you and open for you. If you have the keys, you can open the doors.
Contrary to your unique identity, you can have as many keys as you have doors, which means if you lose your car key for example, it doesn’t affect your house or your office. You can simply change your keys.
Now imagine that you use your identity biometrics to access everything you own. Biometrics are simply a unique combination of 0s and 1s. We know from recent data breaches that large databases of identity biometrics can and have been stolen. If your biometrics are stolen, not only can you immediately lose everything you have, but you also can’t go back and delete them. Biometric theft is permanent, which means you will always face the risk of someone using your identity illegally. Does convenience justify taking such high risks?
Who, except a locksmith, makes their own keys?
Another point of confusion concerns access keys. People have long believed that they need to create passwords and remember them. But passwords are just keys, digital keys. Who -- except locksmiths -- ever designed and cut their own keys to open their house, their car, their safe? People simply retrieve the right key and use it.
To prevent people stealing your keys in the digital world, since there are no physical obstacles, one simple defense is to use encrypted passwords. If you don’t know or see your passwords, you can’t inadvertently give them away. There are different ways to manage encrypted passwords for different needs, the safest of which is to keep them in a fortress with multiple levels security for different passwords that only the owner can access.
According to Verizon’s Data Breach Investigations Report 2022, 82 percent of all data breaches involve a human element such as social attacks, phishing and password misuse. In the business world, companies can protect themselves from this human element by distributing end-to-end encrypted passwords for every system to all of their employees, digitally handing individual access keys to people they can use without ever seeing them.
End-to-end encryption means passwords are out of reach from creation, distribution, storage, use to expiry. That way, employees can’t know the passwords so they cannot give them away in phishing attacks, which represent 83 percent of cyberattacks according to the Office of National Statistics in 2021. Not knowing passwords also means not forgetting passwords, which saves organizations money on password resets and productivity.
All your data behind a single point of access
A third point of confusion concerns the use of single access. In the physical world, it’s unsafe to have a single key for your house, car and office. That’s because losing that key means losing everything you have. But in the digital world, in return for convenience, people have been advised to use a single master password, biometric or PIN, as in the proposal of FIDO, to access all their digital assets. For people who follow that advice, it means one attack could cause the loss of all of their accounts and data at once.
A warning spike in physical assaults
The list of issues that ensues from FIDO’s proposal is endless, but none has more chilling implications than the risk of turning everyone who owns a portable device like a smartphone into an obvious target for physical crime. When every device essentially holds the keys to all your wealth, you become a walking wallet with an easy target on your back. There have already been many cases of people being physically assaulted in the city of London to give their fingerprint and face ID to open their devices for criminals to steal all their cryptocurrency.
Time and time again, new technology has been implemented without proper security assessment and ended up proving more harmful to people. Before accepting FIDO’s proposal, people should remember the old adage: be careful what you wish for.