30CYBER SECURITY 31 The FIDO Open Standard The FIDO Alliance, an open industry association has created open standards for passwordless authentication to online and mobile services. Its most prevalent standard, FIDO2, was developed with the World Wide Web Consortium (W3C) and became a web standard in March 2019. Such authentication leverages public-key cryptography, i.e. a public key that can be shared with anyone, and the associated private key that is held by the owner securely within the ‘authenticator’ on their device such as a mobile phone, a computer or a security key. When users authenticate to a site supporting FIDO, they first verify their identity or their presence with a simple action, such as scanning a fingerprint or touching a security device. Then, the website and the user’s authenticator conduct a challenge-response to verify that the user is in possession of the correct private key. Each service uses a unique key pair, and the private key never leaves the user’s device. Proceed With Caution While these new technology alternatives to passwords are promising there is a need to proceed with caution, says Bissell. “I am eager for the introduction of the passwordless era but I also know that with every new innovation comes things we didn’t think about. If biometric technologies such as facial recognition and fingerprinting are comprised it is not like having your password hacked. I can’t choose another one. I am who I am. I am a little worried about that. Some security experts are saying ‘let’s jump right in.’ I say ‘let’s go’ but let’s be very cautious and thoughtful about the way we do this and not deploy without testing innovation and having compensa- ting controls.” What should companies be thinking about when considering a move to passwordless authentication? “The technology teams, business leaders, and even regulators need to understand that this is different from what they are used to with passwords and they really need to be aware that new technologies like biometrics need to be protected diffe- rently than passwords,” says Bissell. Companies should factor in the geographical spread of their customers because juris- diction matters as privacy and security rules differ not just by region but in some cases by country. They also need to think about how and when they want to phase in the new technolo- gies, recognizing that passwordless authentication might have to - at least temporarily - co-exist with legacy systems. “You should understand how this may impact the user expe- rience,” he says. “I suggest companies work out all the kinks internally and get it right before using it with customers. And when you get it right, test it by attacking the new solution as bad actors would. Remember, just because you think you got it right doesn’t mean you actually got it right.” J.L.S.