Tackling the Password Problem with FIDO2 and WebAuthn

This week's opinion piece is by John Gilbert, GM & Regional VP of Sales at Yubico

With daily news of data breaches and stolen passwords, it’s more important than ever for businesses to ensure their employees’ accounts at work are properly protected – especially when the theft of usernames, passwords, and credit card numbers are often targeted by criminals through phishing attacks.  

The consequences of such attacks can be dire – not just for the affected individual, but the company they work for as well. For example, hackers might target an employee to steal trade business secrets or they might convince executives with spending authority to wire transfer money. Many of these phishing attacks are designed to open a door through which much larger thefts of data can be perpetrated, leaving the organisation vulnerable to regulatory fines, loss of business and reputational damage.

Passwords are no longer the answer. Despite being used by most individuals and business users today, usernames and passwords are usually stored on centralised servers, which means they can be easily breached as cybercriminals become more organised and adept. On a usability level, passwords are inherently flawed. Research found that employees reuse an average of five passwords across their business and personal accounts. This means that once a cybercriminal gets their hands on these valuable credentials, they could unlock multiple accounts. 

If passwords aren’t cutting it, where do we go from here? 

The limits of two-factor authentication

Two factor-authentication (2FA) is increasingly recognised as the method of choice to boost account protection beyond a username and password. In short, it requires individuals to use a combination of two different security factors. This could include something you have (hardware token, phone), something you know (passwords, PIN, knowledge-based questions), or something you are, e.g. face, voice, fingerprint (biometric sensors). 

While 2FA has notable security benefits, there are barriers to adoption. Some of the current 2FA methods can be cumbersome for users or are still vulnerable to phishing-based credential theft attacks. Plus, 2FA still doesn’t get rid of passwords. Remember, these are factors in addition to a username and password. It’s this level of complexity that is slowing widespread uptake. 

Given the shortcomings of existing 2FA methods, industry leaders are beginning to redefine the parameters of modern authentication with new open standards that are leading the way. These offer simple user experiences, widespread accessibility, ease of global adoption, strong phishing-resistant protection and, best of all, passwordless logins. 

Building the framework for passwordless authentication

WebAuthn, which launched earlier this year, is widely regarded as the first global accepted standard for web authentication. WebAuthn is a key component of the FIDO2 authentication standard (which is based on a unique form of Public Key Cryptography) and delivers vastly improved levels of convenience and security.  It is on track to be supported by all platforms and browsers, marking a major milestone in the history of internet security.

WebAuthn is an open standard API that offers users a choice of strong authenticators based on their individual preferences, which could include elements such as security keys, built-in biometric sensors, or a combination of both. For service providers, WebAuthn introduces the option to support strong single-factor, two-factor, or multi-factor authentication. When selected, a service can choose to replace standard username and password logins with a much stronger form of single-factor authentication. With this expanded choice of authentication flows, the added benefit of personalisation exists, and services have the option to select the authentication model that best suits their use cases and customers. As a result, organisations can take a risk-based approach to their security by choosing to relax authentication controls for lower risk environments and step up authentication controls for higher risk environments. 

Given that much of our personal and professional lives now exist online, the need for stronger security has never been more apparent. We’re witnessing a change in the tide, and with users and the industry ready to embrace resilient, high-integrity, and easy-to-use authentication, the outlook looks bright for a passwordless future.