FIDO Authentication Standard is Ready for Government Agencies and Contractors
I attended the “Future of Cybersecurity Forum” in Washington, D.C. sponsored by the FIDO Alliance, Electronic Transactions Association (ETA), Cybersecurity Alliance, and the Coalition for Cybersecurity Policy and Law. Speakers and panelists included Jeremy Grant, Venable/Coalition for Cybersecurity Policy and Law, Michael Kaiser, Executive Director, National Cybersecurity Alliance, Brett McDowell, Executive Director, FIDO Alliance, Scott Talbott, SVP – Government Relations, Electronic Transactions Association. It was all about authentication.
A few gems from their opening remarks:
“Lock Down Your Login” campaign is an effort to raise awareness and ultimately, security of user logins, urging users to “Stop. Think. Connect.” This campaign is ongoing with the help of Michael Kaiser and the National Cybersecurity Alliance, training the House and Senate on “lock down your login”.
Analysis of cybersecurity hacks reveals that 80% of those hacks were achieved through successful password attacks. This serves as proof that we as a society, as a country, cannot continue to rely on passwords only. Two-factor authentication must be deployed yesterday if you haven’t already done so.
Account take-over fraud has been spiking over the past 24 months since the EMV card has pushed fraud to more vulnerable channels such as mobile and online, again suggesting the need for two-factor authentication (2FA) for online accounts.
The Uber breach was due to the failure to use 2FA for their cloud storage service. The missing piece of account login security is 2FA.
Keynote speaker was Terrell McSweeney, Commissioner, US Federal Trade Commission who laid out the direction the government is taking regarding cybersecurity to shore up weak spots throughout the various agencies. One of the most promising things is the ability to use FIDO tokens once FIDO is approved by NIST.
Next up was the panel for “The Evolution of the Authentication Market”, with Adam Lewis, Office of the CTO, Motorola, Brett McDowell, FIDO Alliance, Ellen Nadeau, Cyber Policy Strategist, NIST and Andy Seymour, DoD PKI Manager, US Department of Defense CIO.
NIST has funded 24 private sector grantee organizations for Multifactor Authentication solutions.
Regarding FIDO, Adam Lewis stated, “There is nothing I’m more excited about in the cybersecurity space.”
Andy Seymour of the DoD, stated that legacy systems authentication is a big challenge and that everything [in the DoD and/or government] is based on PKI makes the transition to a new authentication model even more challenging.
I really enjoyed the featured speaker, Jim Routh, CISO, Aetna (one of our customers and former CISO of Amex). He is very smart, energetic, and has created the most advanced authentication model in the healthcare industry, if not on the entire planet.
Two things he had to “un-learn”:
- Choose a risk, framework, roles, strategies, then deliver. Wrong! One stakeholder group didn’t buy into it: hackers. Instead, you should drive controls based on risk and change in attack vectors.
- He thought about authentication as an “event”, with binary control (either you are authenticated or you are not). Instead, Aetna built authentication into customer interactions with continuous (transparent) authentication.
Aetna, with opt-in user permission, continuously analyzes 30-60 attributes which are assessed and scored. Things such as physical location, time of access, fingerprint, how you hold your phone, keystroke speed, how you walk, etc. Your risk score determines how much and what access to provide to you. He stated that FIDO is a way to give consumers a choice. Great takeaways!
Liz Votaw of Bank of America and her group deployed Behavioral Biometrics for their mobile users (creepy AND convenient). They even baked a FIDO mobile client into their mobile banking app, enabling the user to touch the fingerprint sensor to release a FIDO token.
Finally, Grant Dasher of Google, touted their commitment to the new FIDO standard and discussed their experience rolling out FIDO USB tokens to all of their employees, replacing OTP authenticators (Google Auth mobile app and fobs). Google had already enabled FIDO as an option for their Two-Step Verification security features offered to their hundreds of millions of users. Gotta eat your own dog food!
In summary, this was a very informative and positive update on the future of cyber security which is being written into new policy and new laws for our government agencies and their contractors, as well as, general guidelines for all other businesses to follow who care about not getting hacked.
For more information, reach out to me for the latest in authentication technologies including FIDO enablement and the elimination of passwords, and DFARS authentication compliance.