Informal security chat with our host Reece Guida, VP of Product Strategy Husnain Bajwa, and Beyond Identity's CTO Jasson Casey on how the future is FIDO and what that looks like.

Transcription

Reece Guida

Hello and welcome to yet another legendary episode of Cybersecurity Hot Takes with me your esteemed host Reece Guida and...

Husnain Bajwa

I go by HB

Reece Guida

Got you. Did you say you wanted to go by age HB?

Husnain Bajwa

No, I was just gonna say HB.

Reece Guida

I'm going to put you guys on blast.

Jasson Casey

We were going by age if I hadn't stepped on Husnain.

Jasson Casey

Yes, yes.

Reece Guida

All right. And that guy who just said that was Jasson Casey our CTO. So, it's been another week in security to say the least but we're gathered here today to talk about FIDO. You know, I, we think the future is FIDO but don't ask me what that looks like. What do you guys think of that hot take?

Jasson Casey

I don't know if it's much of a hot take. I think it's the general trend, to be honest, right? Is it a hot take if Google, Microsoft, and you know everyone else under the sun is talking about FIDO's gonna solve all of your problems and we have this new thing called passkeys and let's talk. It's definitely a new thing. So couple things, right? a lot of people say FIDO. A, much smaller group actually understands what that is, right? FIDO is not a unique standard of itself, as opposed to it's like a reference architecture that references a series of standards and protocols underneath. So, I do find it interesting to kind of be a little bit more precise when we're talking to folks, right?

So, FIDO talks about WebAuthn as being an interface to a user original browser to be able to manage the life cycle of a credential and well, technically it's not a full lifecycle management protocol. It talks about how to create a credential and how to ask that credential to get used. Then you've got things like UAF and CTAP too which really talk about, you can think of it as like the southbound interface from that user original browser to the actual enclave that's managing that credential, right? In some cases, not necessarily an enclave, right If you read some of the passkey literature where they're very excited to help people share passkeys, you know which we have some concerns about. If this is really supposed to be the next step in a security product, you can help delegate right to others without actually having to share credentials to them. That might be a little bit intellectual laziness but, it's a good thing.

CTAP provides secure channels for the UAS and browsers to interact with a southbound application or enclave or off board device, I should say, right? We talk about onboard devices so much just cause that's where we live as a platform authenticator. But in theory you get a Bluetooth channel you get an NFFC channel that you can also use to establish kind of Secure Auth. So, I don't know if it's hot take to say FIDO is the future. I think that's obvious. I think the more nuanced discussions are about what can I do today, and is FIDO enough?. What else do I have to do to really kind of have turnkey enterprise grade zero trust access.

Reece Guida

Turnkey is a very fitting word here when we're talking about passkeys.

Husnain Bajwa

I think a huge portion of what makes FIDO both promising and a little bit ambiguous is that northbound interface, I think there's still an enormous amount of work to be done. and,

Reece Guida

Do you guys mind if I stop you there for a second? I'm hearing southbound and northbound and I'm thinking of expressways. What does that mean exactly?

Jasson Casey

They're expressways. So, the browser is a city and the northbound expressway is how you get to the villages north of that city. Think of a LAD stack, right? So, you have a browser and the browser wants to go north, right? To talk to the world, the web and the browser wants to go south to talk to other facilities on the same machine the browser's running on or through those facilities to a phone that might be Bluetooth near that machine. So, when we say southbound northbound, it's really just a legacy of like architectural diagrams, right? Where you've got a stack, and I don't know why up is north because up is not north, but, it is in these diagrams and HB and I are both kind of old school telco people where, that was banged into our head.

Husnain Bajwa

I think what Jason described as the facilities for the local device, which I was referring to as southbound or he was referring to as southbound initially. The major thing there is that we've had roughly 20 years of staleness in the evolution and development of those interfaces. And so FIDO is essentially revitalizing an interface that needs to be revitalized and made uniform across the platforms that people commonly use. So today we know that a person's going to be on an Apple mobile device running iOS. We know that a person's can be on Google mobile running android from any number of vendors and using any number of chipset architectures and board designs from various vendors.

We know that Mac OS is going to be running on a pretty limited set of apple endorsed hardware. But then we also have Windows that's got like a massive diversity of options. And within these, all of these architectures have adopted secure enclave technologies trusted execution environment technologies that allow you to do some level of data in use encryption control and management. And that sort of innovative sort of security processor capability that that's emerged, is generally, up to every user on every platform to optimize it and manage. And the user experience can be vastly different. If you ever try to do a certificate authentication on Windows versus doing a certificate authentication on an apple device it can be a genuinely disorienting experience going from one to the other. So, I think that piece of it where FIDO's doing sort of god's work and cleaning up what was like 20 - 30 years of fragmentation mess. That's, that's great. I think there's a lot more, when it comes to how you connect to applications, how you connect to infrastructure.

Reece Guida

Well, yeah, when you talk about what's more I really wanna talk into that because you and Jason said similar things HB. Jasson was like, yeah, you know it could be intellectually lazy and you said ambiguous. So how do we provide more clarity in, you know FIDO in its future? Like,what's missing

Jasson Casey

So, there's a little bit of a what's the right way of describing it? Some of these nebulous areas right? these unspecified areas are intentionally unspecified and it's kind of that classic battle between how much does a standard specify versus how much should it leave room for companies to innovate, right? So the utility, the usefulness of a standard is if it exists and companies actually comply to it, customers have more interoperable choice, right? They don't have to go with homogenous systems, they can, you know buy the best monitor and then buy the best keyboard and buy the best host bus, et cetera right? If the standard specifies too much then it takes a bit away from innovation. For instance, if I'm a chip manufacturer and a memory manufacturer and I have some interesting ideas about how to really speed up memory access by programs in my CPU it might be useful for me to have a non-standard interface that doesn't necessarily break the standard but gives me that additional facility to where I can kind of do my special stuff.

There's no difference in any standard, all standards are kind of that interplay between how much do I leave open for mixing and matching, versus how much room do I leave for people to innovate. And in FIDO, I think you can kind of see that through things like different device enrollments, right? So, I can be FIDO compliant and still not have a secure solution, right? FIDO doesn't imply security. FIDO just specifies how to interact with a couple protocols. It's really up to companies to implement things properly. But, FIDO also doesn't really specify how to recover from device loss, how to enroll new devices without people coming up with implementations where you keep your password in your head and you keep logging in with your password to kind of buy new devices. That's super, clunky from a usability perspective. There's no, there's no trail of evidence that's irrefutable on what was the authorization that allowed a new device to be bound, right?

Remember, the reason we like hardware anchored credentials is they can't move, right? They can't be stolen, they never end up anywhere which means we have hard evidence and providence of where an authorization came from, right? So, if one device authorizes a credential for another device we now have a chain that's cryptographically linked that ties those two things together that makes forensics nicer, that makes forensics much more likely to stand up under scrutiny. Whereas, you know, using old school authentication techniques like passwords to then enroll additional devices it breaks that chain, it breaks the utility and it kind of really begs the reason of why are you doing it in the first place. Again, FIDO doesn't really specify how you should do those things. It's up to companies to exercise common sense when they're either building the products or integrating the products to build out their service.

Reece Guida

Got it. So it's up for them to navigate the great unknown.

Husnain Bajwa

And to that end I think what we see is a lot of divergence and roadmaps. So right now, if you look at like, what we're talking about and what we're working on, a lot of that work is focused on the enterprise and building enterprise grade solutions, and extending these technologies and meaningful ways that don't compromise fundamental security promises. And that's not necessarily where FIDO's focuses today right? Like they're focused on the problems of the billions and we're focused on the problems of the 70 million global 2000 employees.

Reece Guida

Yeah, So just like any dog, you know know FIDO can be a good boy in some cases and a bad dog in other cases. Well, we'll see how the the training goes in terms of security for FIDO. Thank you guys for weighing in on this today and let's see what the future holds, not just for FIDO but also for next week's hot takes. Stay tuned and thanks for listening in. Please smash the subscribe button so I can feel good about myself. Thanks.