editor ’ s question

In one of our previous issues , we asked industry experts if a passwordless future will help us ensure effective cybersecurity . We had so many responses that we are looking at the issue again . To kick off this second instalment , here ’ s the response from Joon Hyuk Lee , APAC Market Development Director , FIDO Alliance .

In the IoT space , there is a greater need for passwordless authentication . IDC estimates that there will be 41.6 billion connected IoT devices globally by 2025 , opening up opportunities for increased efficiencies . Yet , lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices , and the networks they operate on , open to large-scale attacks .

In recent years , MFA was introduced . In MFA , another element – such as an OTP – other than the password itself , is needed to authenticate the user . This was thought to be bullet-proof as there is an additional layer of security . However , password-based MFA can still be compromised . Even timesynchronised OTPs are vulnerable , as they leverage the same shared-secret approach that passwords use , which are susceptible to hacking and phishing attacks .

One possible solution is passwordless MFA standards . FIDO Alliance , for instance , developed an MFA standard that can help thwart attacks while delivering a secure and user-friendly experience . The alliance – industry consortium with 250 + member and partner organisations around the world – was founded in July 2012 with the goal to develop open industry standards for simpler , stronger authentication , while addressing the problems users face with managing multiple usernames and passwords .

FIDO ’ s standards are designed around public key cryptography and the way it works is pretty simple . A pair of keys is generated when a user registers with an online service . The public key is then used to verify the private key in a twostep authentication method – a process that guards information from unauthorised revelation and access as only the user has access to the private key , which cannot be tracked by hackers and the information never leaves the local device . Users can then have more control during their logins and don ’ t have to worry about account takeovers . More importantly , these standards are phishing-proof .

The FIDO standard has already been adopted by companies around the world , including major technology vendors like Apple , Dropbox , Google , Twitter and LINE . Most of us may already be using these seamless and secure login methods when we login to our email accounts or access our bank accounts online .

Bill Gates said way back in 2004 that passwords cannot meet the challenge of keeping critical information secure . He predicted the demise of traditional passwords and the decreasing reliance on passwords then . Yet , passwords continue to be used even to this day , despite many industry experts agreeing that they should be replaced . We have made some progress in reducing the reliance on passwords but more still needs to be done . It is crucial for companies to continue educating their users and stakeholders on the risks of traditional passwords and the importance of moving to a passwordless future . Only then can a better and more secure user experience be realised . This future is already within reach – backed by leaders in their field and supported by devices all over the world – now , all we have to do is take the next step . www . intelligentciso . com

27