Time to deploy strong authentication, says Fido

Time to deploy strong authentication, says Fido
January 23, 2019
https://www.computerweekly.com/news/252456321/Time-to-deploy-strong-authentication-says-Fido

The State of Strong Authentication 2019 Report (PDF): https://1nmqmp2u9dgf3jo9centu6rq-wpengine.netdna-ssl.com/wp-content/uploads/2019/01/The-State-of-Strong-Authentication-2019-Report.pdf

 

They've been saying that since 2014 for u2f and Fido 1. Progress has been glacial in terms of supporting sites and Chrome-only browser support.

The report seems to me to make 2 dubious claims.

The first is that a lot of companies think they need to support strong authentication, and that regulation is pushing them to actually respond. I'd say that our beloved regulators have been as supine and complicit as for everything else, there are no meaningful penalties for negligent authentication, and no pressure to compel strong authentication as an option. Until that happens, expect progress to be as glacial as before.

The second is the claim that customers demand biometrics. Some customers might want that, presuming they know what their talking about. But most just take biometrics because that's what's foist on them and is nominally convenient. It's particularly the case with smartphones, which do not have easy separate hardware token authentication to the handset, or it's a separate token. We all know the issues with biometrics. Even where one might accept biometrics, there is insufficient assurance that the biometric data stays local, is well protected, and also can be repudiated.

The only rays of sunshine in this sorry state of affairs are:

• browser support looks to be wider for Webauthn/Fido2 (Edge has an implementation and FF is supposed to support it)
• fido2 is compatible with U2f/fido1 (though this introduces complexity and also maybe vulnerabilities)
  
• Visa are now involved (including some patents), which might enforce use of these standards for the payment systems, and ripple-out from that.

I'm afraid I'm not holding my breath, much as I'd like to believe it will happen over the next 2 years - there's too much power wrested by the website operators who definitely don't want a privacy-respecting solution.

 

Where possible "vote with your feet". Find (if possible) a company that supports FIDO and then make sure your current company knows why you are leaving them. Give them a brief chance to harden their connection OR just leave. If enough did that change would happen at a much faster pace. Right now its painfully slow.