FIDO Alliance: The Road Ahead for Authentication

Megan Shamas of the FIDO (Fast Identity Online) Alliance, an open industry association dedicated to advancing modern authentication standards to reduce the world’s over-reliance on passwords, shares the organization’s viewpoints and predictions for how authentication will change in the coming several years and how to get ahead of that change.


Hi, everyone. I'm Megan Shamas, and I run market adoption programs for the FIDO Alliance. We're the standard organization for authentication. If you're not familiar with us, I would urge you to learn more about us and get involved if you'd like. 

Really want to thank Beyond Identity for having me today and just for hosting the series around zero trust. I think this is a great topic. I think that there is some misconceptions around it, and I hope that part of the goal today will be to help you get on the zero trust journey and clarify some of those misconceptions. Today, I just want to spend a few minutes with you talking about how we at the FIDO Alliance look at authentication and why it might be necessary for you to rethink some of the ideas that you have around authentication if you want to achieve zero trust for your own organization. 

So, let's get started. So, first, of course, we do understand... I think we can all agree that authentication is a fundamental component of any zero trust strategy, but words like strong authentication and MFA, they get thrown out as, you know, the imperative or the foundation for a zero trust strategy. But you might be thinking, "Well, what? What does that mean?" 

You may think of multiple factors. You may think something you are, something you know, something you have, something you sing, something you dance to. Multiple steps, right? This is how we've historically looked at making authentication or the way that we sign in stronger. But in today's world, what we see is that these historical ways of looking at authentication, they cannot hold up in a zero trust approach, right? 

So, I think it's very commonly known that a single-factor password isn't going to be sufficient for, you know, strengthening our sign-ins. But because it's easily phished, it's easily guessable, easy given away. It's used in reused across services. The burden falls on the user to create and change them, but phishing still continues to be the biggest threat to the internet in terms of account takeover. 

And what we've done is we've built factors on top of this password foundation that now what we're seeing are being attacked as well. We're looking at these as...we call these MFA bypass attacks, and they're successful and they're really not all that sophisticated. They're pretty easy. So, you see phishing for passwords. 

Well, now you have phishing for SMS OTP codes. You have push fatigue attacks, and these attacks are only becoming more prevalent. And what the common thread is that we're continuing to rely on phishable authentication factors. This place is a burden on the user to have to provide something. It is something that is easily giveawayable, trademarked by me, so let's not think we can use that without permission, but these are things that are just easy for us to give away. 

And it's not the user's fault, this is just human nature. And these attacks focus on our good nature to want to be helpful and give what is being asked of us, right? But I want to be clear about one thing. So, you might hear a lot about MFA bypass attacks and the danger of them, but let's be clear that this is MFA bypass attack can only happen and be successful when the password is already known, right? 

So, that account has already been compromised, and now it's getting the additional factor. And so what do we learn from this? We have built layers upon layers over a phishable foundation, which is the password. And so we want to change the way that we look at this, right? And at FIDO, that's exactly what we're. 

We need to rethink this whole idea of strong authentication or multi-factor authentication if we're ever going to get to zero trust, right? We have to look at this idea of having phishable layers on top of a phishable first factor, which is the password, and we need to move to looking at actually replacing the phishable first factor with something that's fundamentally phishing-resistant and strong. 

And that is what we're doing at the FIDO Alliance. These are the standards that we're aiming to create and see mass adoption for. Phishing-resistant authentication is a term that I would love to see us all using on a regular basis instead of terms like strong authentication or MFA. It is phishing-resistant authentication, and that is what we need to get to if we're ever going to achieve zero trust. 

The FIDO approach and our standards leverage public key cryptography and user-initiated sign-ins with your device capabilities, whether that's a biometric or on-device PIN, or you can leverage an external device like a FIDO security key. But the main message is that this is a fundamentally phishing-resistant way to sign in. And so we're moving from the historical ways that we've all understood authentication to really flipping that on its head and introducing a new phishing-resistant way to authenticate. 

So, how does the FIDO approach actually achieve phishing resistance? This is the quick version. If you'd like the complete 101, we're happy to provide that. You can look on our website, but there's two major things. So, the first thing is, is replacing that password with public/private key pairs that are unique to every service. 

So, it's phishing-resistant. The user cannot use and reuse that across sites. So, that's, kind of, getting rid of one of those, sort of, user issues that we've seen with regard to the phishable authentication factors that we used in the past. And then what is the real unique factor of FIDO or the unique component of FIDO is that the keys are bound to the domain at creation. 

So, even if I really wanted to give it to a spoofed site, if I really wanted to provide that, it simply will reject that sign-in completely because that is not the domain at which that key was created. And that is a big part of why FIDO is phishing-resistant. And so what we've been seeing, it's not just us who are recognizing the need for this, but we're really seeing a lot of high-profile awareness from government, from the private industry, like, you know, folks like Beyond Identity, really understanding the nuances of this and really highlighting the importance of phishing resistance more and more across the guidance that they're creating. 

So, from OMB zero trust strategy, which specifically calls out phishing resistance and FIDO to NIST. So, NIST recently put out their latest draft for 800-63-4 which also calls out the importance of phishing-resistant and the subsequent blog that they posted that Andrew and Ryan from NIST published is a really good read. 

I really would urge folks to take a look at that. But they're really, really being clear that if you really want to protect your assets, protect your users, it has to be phishing-resistant for authentication, of course, and then in CISA as well. So, we really want to thank Jen Easterly and her remarkable team for the work that they're doing. They have been very clear around their guidance on MFA that FIDO is the gold standard for authentication and the need to create and offer phishing-resistant authentication and of course that FIDO is the only phishing-resistant authentication available today. 

So, in summary, remember what we looked at before. All I would urge you all to do is understand that phishing resistance should be the foundation for your zero-trust strategy. Any authentication solutions that you're looking at and implementing as part of your zero trust strategy insist upon phishing resistance and as the first control and the most important foundation for zero trust. 

So, thank you so much for having me today, and I look forward to engaging with you. If you would like to contact me, my email address is right here. And, again, thank you to Beyond Identity for having me today.