Page 110 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 110
Strong authentication has traditionally been synonymous with methods of multi-factor authentication
(MFA), most of which still rely on the use of a password of some kind. However, the unfortunate truth
about passwords is that they are not only inherently broken but are also the most ubiquitous
authentication factor. Therefore, any implementation of multi-factor authentication is undermined by their
inclusion.
High-assurance strong authentication is what many industry experts believe to be a much superior
approach to securing accounts, in which multi-factor authentication is merged with biometrics. In the past
five years alone, high-assurance authentication has been adopted on a mass scale, climbing from 5% in
2017 to 16% in 2018, and even more so up to a whopping 24% in 2021. With high-assurance and
biometric authentication gaining traction in the U.S., the prevalence of password dependence still exists
among 49% of users across their accounts. Despite this surprising percentage, the growing awareness
of stronger authentication methods is promising for its implementation in the near future.
As it currently exists, the widespread adoption of high-assurance authentication has largely been led by
the FIDO Alliance. Since 2013, FIDO sought to enable strong authentication through an open set of
standards and specifications that link user devices to a secure online service and then rely on biometric
information stored on a particular device. Making this process more accessible appears to be the key to
its ubiquity, but there are also loopholes that need to be addressed as device biometrics only authenticate
the device owner, not the owner of the account they are trying to access. When this gap gets exploited
by attackers, it further contributes to the growing fraud rates that we are experiencing.
There are other issues that must be overcome to move towards the ubiquity of biometrics for consumer
applications. Currently, FIDO credentials are only generated for a specific device, meaning that each
device or browser must be separately provisioned in order to seamlessly authenticate access. Managing
multiple devices is not only difficult, but from a consumer perspective also degrades the experience. As
a result, the FIDO Alliance has called for the issuance of multi-device credentials that will enable users
to authenticate from anywhere, at any time, and from any device.
The transition to this model begs a few questions, the first being: how do you establish a high-enough
level of assurance with a new user device that will allow for the entire set of credentials or keys to be
entrusted to it? Secondly, how can digital assets be securely backed up and transferred without exposing
them to potential compromise in transit or at rest whilst in vendor storage? And lastly, how does all of this
happen across different device manufacturers who are disincentivized from working together?
Because biometric information is stored and bound to the specific device, it cannot be relied on to
authenticate from any other device, meaning the biometric samples from the original device will no longer
be available, and the fallback will once again be other authentication factors with lesser assurance levels.
Additionally, sending cryptographic assets to backup facilities exposes this information to eavesdropping
by cyberattackers in transit. Finally, if a vendor’s facility is hacked into, all cryptographic keys stored can
provide unfettered access to all of their accounts.
The solution to address both of these challenges lies in a decentralized cloud infrastructure that can
provide high levels of authentication assurance regardless of the device. Applying biometrics to a
decentralized cloud infrastructure aligns with the privacy principles of FIDO, where a user is in control of
their biometric data, and the biometric itself is not accessible across multiple parties.
110
