“Websites that are trying to get eyeballs can’t really force their users to do anything,” said Gary McGraw, CTO of Cigital. “Twitter has two-factor authentication (2FA) now, but you don’t have to use it. You just should. The most you can do is ask nicely – otherwise it’s an economic conflict of interest.
Vishal Gupta, CEO of Seclore, said while he believes the masses will adopt a different form of authentication if it is faster and easier, still thinks it can’t be forced, and will be “a long journey."
“It’s very similar to chip-and-pin cards vs. magnetic strip cards, and a lot of enterprises will have to come together to make this happen,” he said.
Indeed, even Brett McDowell, the Alliance’s executive director, agrees that, “forcing web service providers to do anything is a non-starter.”
But he said FIDO, which now has nearly 250 member organizations, isn’t trying to force anything. The group’s goal is to make it irresistible – “to deliver a solution they (providers) will be eager to implement because it is in their self-interest to do so,” he said.
An authentication system that improves the user experience, he said “will sell itself to service providers.”
An attacker would physically need the user’s device in hand even to attempt an attack. This doesn’t scale, and is therefore not viable for financially-motivated attackers
Brett McDowell, executive director, FIDO Alliance
The user-experience pitch, on the FIDO website, certainly makes it look easy. There are two possible methods:
- UAF (User Authentication Standard), simply requires the user to make a transaction request and then show a biometric, like a fingerprint.
- U2F (Universal Second Factor) requires a login and password on the local device, and the user then inserts a USB dongle and presses a button on it to complete the transaction.
McDowell said the game-changing difference is that, unlike passwords, authentication credentials are, “always stored on – and never leave – the user’s device. An attacker would physically need the user’s device in hand even to attempt an attack. This doesn’t scale, and is therefore not viable for financially-motivated attackers.”
Not to mention that, if effective, it eliminates the threat from those in other countries – even those in the next town.
The problem with passwords, he said, is not the passwords themselves but that they are “shared secrets” held by both individual users and on the servers of online providers where they can be – and have been – hacked, by the hundreds of millions. And it gives the hacker, “passwords to use against other servers.”
McDowell contends that UAF and U2F are much faster and more convenient for users, since authenticating involves simply, “touching a sensor, looking at a camera, or wearing a wristband, etc. It is definitely faster than passwords, and much faster and more convenient than traditional forms of two-factor authentication like one-time passwords (OTPs).”
Sign up for CIO Asia eNewsletters.