The holiday season is upon us again! In New England, the Season brings Christmas cheer, steaming mugs of hot chocolate and lots of snow. As I dug out from 22” inches of the white stuff recently, it struck me how fortunate we are to live in an age where business continues to operate anytime, anywhere and under any conditions. Working from phone, tablet or laptop, I never missed a beat (full disclosure: I even took one conference call while snow blowing the driveway).
Workforce mobility is a blessing and a curse—it enables organizations to maximize productivity, recruit top talent regardless of location, and continue business operations even during the worst New England winter. But digital transformation also exposes organizations to greater risk from compromised identities used to steal your most sensitive data and resources.
FIDO (Fast ID Online) authentication is gaining popularity as a strong, open standards-based approach that is convenient, cost effective and resistant to phishing attacks. Often employed as a small hardware key, users prove their identity by inserting the device into a USB port or by tapping it on an NFC reader. The latest evolution of the standard, FIDO2, extends support to Microsoft Windows and to most modern web browsers. It improves security with the addition of a PIN or biometric and supports a new “passwordless” login.
So, is FIDO2 the key (pun intended) that will finally eliminate the dreaded password forever? As with most things in life, the answer lies in the details. As with any other security solution, FIDO2 technology is only as good as the implementation and processes surrounding it. When it is supported, FIDO authentication works very well. But while increasingly common on the Internet, FIDO2 may not yet work with legacy applications including your VPN and other on-prem apps, or in environments where workforce limitations, user preference or other circumstances dictate a different software- or mobile-based option.
Another consideration is how your organization will manage FIDO2 security keys. Will users self-enroll and how do you secure that process? If a user loses their FIDO2 security key, how will they replace it or request temporary access? By default, many implementations fall back to a password in these situations (or worse, your mother’s maiden name).
Organizations opting for FIDO2 should consider three factors:
- Implement FIDO2 together with a range of complementary authenticator options (e.g., OTP, biometrics and mobile push) to support any user and use case
- Employ risk-based techniques, including conditional access, to further secure environments where passwords are removed
- Select an Identity Assurance platform that can extend use of FIDO2 (and other authenticators) with legacy, on-prem and non-web applications, and that can secure the entire credential lifecycle without falling back to passwords
Helping organizations embrace a passwordless future is why RSA® has chosen to partner with Yubico—the leader in hardware-based FIDO authenticators. Combined with RSA® SecurID Access, the premier Identity Assurance solution for securing anytime, anywhere access, Yubico and RSA® are two names that should be on every IAM practitioner’s Christmas wish list.
Author: Dave Taku
Category: RSA Point of View, Blog Post
Keywords: FIDO, FIDO2, Passwordless