Page 15 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 15
Meanwhile, two-factor authentication doesn't prove identity at all. Instead, it simply provides hope … that
email accounts, devices and apps haven’t been hacked.
Strong authentication using biometrics shows great promise in replacing passwords by moving beyond
the “something you know” or knowledge factor to the “something you are” or inherence factor. These
include physical characteristics (typically facial, fingerprint, or voice recognition) to verify a user's identity.
However, capturing user biometrics is one thing. Securing them is a completely different challenge,
because, just like passwords, digitized biometrics can be stolen.
Passwordless is the Future
Recent breakthroughs in standards and technologies make passwordless authentication not only
possible but cost-effective and convenient.
For example, NIST standard 800-63-3B covers how users can use enrolled identities to authenticate who
they are without usernames or passwords. The industry term for this is passwordless authentication.
Meanwhile, passwordless authentication has been popularized by the Fast Identity Online Alliance
(FIDO), a non-profit industry consortium supported by such companies as Google and Microsoft.
Its main standard is FIDO2, which enables users to store their biometrics behind a cryptographically
secured public-private key pair. The private key is stored in the Trusted Platform Module or Secure
Enclave of the device. That key (what you have) combined with a biometric such as TouchID, FaceID or
LiveID (what you are) become the two factors needed to verify the user can be trusted to access an
online service.
For passwordless to work, certified authentication must enable a high level of certainty of the identity at
the end of a connection. Thus, identity becomes key to the security perimeter of an organization, and
removes the anonymity behind compromised credentials, which is also central to help organizations
move to a zero-trust architecture.
To ensure the success of passwordless authentication, the biometric must be sophisticated and non-
hackable. A “live selfie” is a must, using technology that detects depth of field, specific facial movements,
and all signs of photo and video manipulation.
The authentication mechanism needs to have a high degree of interoperability and be easily integrated
with operating systems, user stores, devices, SSO, and other applications preferably via API / SDK.
As a user biometric represents a high value target for hackers, they should also be stored as safely as
possible.
Centralized administration provides a honeypot target ripe for ransomware, hacking, etc. Conversely
distributed ledgers offer a vastly superior approach to security and facilitates user privacy in management
and control of their own information.
15