Subtitles section Play video Print subtitles (upbeat music) - Hi, I'm Pamela Dingle, Director of Identity Standards at Microsoft and I'm here today to talk to Andrew Shikiar. He is the Executive Director and CMO at the FIDO Alliance. Andrew, it's really great to have you here. - Thank you, it's very nice to be here. - So tell me what FIDO stands for. - So FIDO stands for Fast IDentity Online and FIDO Alliance is a standards organization that's creating open standards for better, simpler, stronger user authentication. In general, what you find is a number of competitors, in any space or collaborators see the need to work together on a piece of technology that's really core to all their businesses, where it makes more sense to collaborate than try to differentiate. And so when FIDO was formed, there was a data breach challenge which persists today. And what FIDO's founders realized is that the core problem associated with data breaches comes down to user authentication. So you know, a dependence on passwords, a dependence on shared secrets that sit on a server. And so what FIDO is fundamentally trying to do, is change the way people authenticate from one that is server-side shared secrets, to a model where consumers and users can authenticate locally to devices that they use every day. - You talk about asymmetric public-key cryptography. How does FIDO match that super fancy cryptography with something people can use? - There are two main ways of authenticating users, right? So one, the traditional way of passwords or shared secrets, has both usability and security problems. So it's funny when I travel and I talk to people about passwords and I say we're trying to get rid of passwords as part of what we're doing, no one's ever said that's a bad idea, right? I think all of us as consumers and as users, can understand the challenge of passwords. The key thing to understand is that this data sits on the server, right? Anything on a server can be spoofed, it can be hacked, it's susceptible to phishing. The other problem associated with this kind of password is that once they're stolen, they can be reused. There's a massive market out there for used credentials on the dark web and that leads to something we call credential stuffing. The statistics around stuffing are staggering. For ecommerce sites, up to 90% of attempted logins are stuffed logins. Stuffing are at least over 95% of account takeovers. - What exactly is credential stuffing? - So that's when someone goes on the dark web and buys a username-password combination, right? So we hear about these massive data breaches, like the Yahoo data breach for example, and I was one of those 3 billion identities that was stolen. And you know, the damage to me from Yahoo, doesn't really matter, right? At worst they could do is like mismanage my fantasy football team. But the real damage is, if I use that same username, password on my bank or on other sites. And the scary thing is there's around a one to two percent success rate, right? So you're talking about billions of stuffing attempts per day with, say even 1% success rate. That's a massive number of successful logins that that shouldn't be happening. Which is why it's costing US businesses alone over $5 billion a year. - If you use the same password for your bank as you use for anything else, you should go change it right now. - So there's basic password practices, which Microsoft does a good job of articulating and educating people on. Any MFA, right? Any sort of MFA, even SMS OTP, which we'll talk about in a second, eliminates 99% of account takeover. - An MFA is multifactor authentication, and the whole idea is it's not just one thing. If you use a password, you're using a thing you know, that's only one, what we call a factor. With multi-factor authentication, you can use something you know or something you have, you know, your phone for example. And then the other one is something you are, which is biometrics, meaning you're gonna use your face or your thumbprint, stuff like that, right? - So FIDO is solving the problem by creating standards, as we're creating the standards for FIDO authentication, right? So again, it leverages that that big word, asymmetric public-key cryptography. But what that really means is that instead of putting a password on a server, we use a key pair, and it's called a private key, which sits with you on your device and a public key, sits on a server. Unlike a password, the public key has no material value. All right, so some hacker comes in and steals a whole raft of public keys. There's nothing that could be done with those. And now when I go to log in, once I'm set up in the FIDO account, I have to unlock, basically activate the private key on my device and I can do that by a biometric or any sort of way of verifying myself to my device, which I can uniquely do, and then that key pair can be matched. There's a lot of data exchange in that interchange that's unique to the website, unique to the private key, that makes it such that only you, with that device can log into that site. - I mean, this is sort of the "Holy Grail" of authentication. It should be easy for the user and it should be really, really difficult for the hacker. And that of course does not happen with passwords. Passwords tend to be really hard for users and really easy for hackers. - So if you look at this from a business standpoint, you know passwords are a liability, right? So you're basically managing, if you're managing consumer identities, managing tens or hundreds of millions of very valuable pieces of information which are at risk, they're sitting on a server. So that's a major liability. There's also a usability issue for businesses. If people can't remember a password, passwords lead to like half of shopping cart abandonments. So that's money on the table that you're not getting, 'cause people can't log in. For consumers, the risk is identity theft, account takeover, bad charges, all the negative things that happen when your identity is stolen. And then you know, you look at new form factors, right? So I just redid my house, and I have all these smart TVs, I'm trying to log in to smart TVs and remembering my passwords, 'cause it's all password based. I can remember my passwords 'cause I have my own approach to it. But then entering it with remote controls is like the Seventh Realm of Hell. - It's terrible (chuckles). - It's horrible. It's a bad experience, right? So again, trying to simplify the user experience while providing a more secure user experience is really what FIDO's very much focused on. - I mean we've talked about public-key cryptography and all this great sort of thing, but what is it that users actually get to see and do that is so much better than passwords? - Consumers have gotten accustomed to using a biometric on a device every day, right? For at first it was unnatural to unlock your phone with a thumbprint rather than tapping in a passcode. Or also sometimes in enterprise, you'll get a security key. They come in a number of form factors from a USB key to NFC cards, whatever it may be, that allows you to use that as a second factor or as a primary source of logging in as well. - I mean, that sounds great, but I'd love to see one, do we have any here? - As a matter of fact, we do. - Wow! - I travel with a pocket full of security keys out of best practice. These are some examples of these. So this is a USB transport. - Let me see, I will play hand model. - This one actually uses a FIDO certified mark, which I like them doing. So we certify these devices, to show that they truly do inter-operate with each other. So this is a FIDO2 security key. It has both the USB where you just have to touch it, and it also has a biometric scanner too. - So it literally doesn't work unless you scan your fingerprint? - Correct, correct. So it's an even higher level of authentication than just proving presence. - That's great. - This one is a Bluetooth model. It supports Bluetooth and I think NFC. You just click it. - So basically you don't have to plug this in obviously. So you would pair it with your laptop and then it would just magically ask you to touch it. - They ask you to insert or activate your FIDO security key. In this case, you just press that button. That'll communicate via Bluetooth to your laptop or your tablet or your smartphone. Speaking of smart phones, this one has a USB-C, which is good for modern laptops, but also for a lot of Android devices these days, or any device that has USB-C power. Whereas initially, I think it's fair to say, that the security keys are primarily used on the desktop in the enterprise. What we're seeing now is these innovations to bring security keys to mobile phone users and device users as well. - I don't know if you can see this, but there's these little touchpoints on either side. The whole idea is you always have to have a human gesture in FIDO. So it can't just be all computers. There has to be a human element. So you plug it in, and then when you're prompted, you just touch the side and then you're logged in. - And last but not least, this is, I love this one. This could also serve as a employee badge. You have a badge, it gets you in the door, but he can now have that same badge that gets you in the door, it can also be your FIDO security key. So, communicating by NFC or Bluetooth to your laptop as a security key. There's even like a little USB thing that's fixed in there as well. It's an incredibly-- - Is this awesome or is this it's awesome? - It's awesome, so you think about perimeter security, logical security, access security, all those things are built into one key. This is a tiny sampling. We have over 600 FIDO certified products on the market. And depending on your use-case or your company's use-case, you can bring a blend of these into the enterprise. - What we love about it at Microsoft is that, we can get out of the business of making authenticators, right? We can build to a standard and then the standard allows anyone who wants to build something to be enabled. So for us we feel like it fosters innovation by being open. - It all comes back to the benefit of standards and collaboration. - Microsoft participates, Google participates, Apple participates, all of these big companies. So how do they work together to make this happen? - Starts with specifications, right? So we have technical specifications that underlie FIDO authentication. The specifications are developed mutually amongst these large companies and then they're ratified and eventually, we test products on top of that through the Inter-op Certification Test. - I know on the part of Microsoft, we feel like FIDO Alliance is incredibly strategic to us, for this very reason that you can't replace passwords with one proprietary solution. If we're gonna change the way that people represent themselves online, we have to do it across the board. It has to work everywhere all the time. And so you should be able to log in on an Apple computer to authenticate to a Microsoft service that then takes you across on Google browser and maybe uses an additional key made by a small manufacturer that happens to make the right kind of security paradigm work for a customer. And certainly for Microsoft, we really believe in getting the world to a place where they can use anything they want, anytime they want and anywhere they want. - Absolutely, and there's a commitment, right? It's not just a financial and a verbal commitment, but there's a product commitment. So last year, in 2019, we saw major platforms start to support FIDO and FIDO2. Right, so led by Microsoft with support of FIDO2 in Windows Hello. We know that any windows 10 PC now has FIDO capabilities built in. It's amazing. - So great. - Android, so Google making Android, you know the same thing basically. So any Android 7.0 or later handset, can serve as a FIDO authenticator. So both these instances, that means that when the service provider supports FIDO, they could allow me to authenticate with the platform authenticator, with that biometric on my PC, with that biometric on my Android phone. - Right, it's collaborative security. That's what I love about it. - Absolutely. - We use standards so that there's no advantage either way for anyone, but everyone can participate. - All right, so now we have billions of devices that are FIDO capable. We have every web browser now is FIDO capable. And I think our next challenge as an organization is enabling deployments, right? So best practices for how you deploy to consumers? - I would love to see what this might look like. These are cool. - Yeah, they're cool. - How do they work? - One example would be like Google services, which has long supported FIDO authentication. When I go to login to Google, I'm then prompted to show my security key. And my security key can be any of these things. So if I take this USB key, for example, I just insert this in the USB port and I touch this to prove that I'm physically present with that device. - So I brought my key, this is the one I use every day. So you can see it's a slightly different key from the ones we've seen. So every morning I open my laptop, use my finger on the reader and I go to work. Nothing gets in the way, I don't have to pull anything out of my bag, but the one time maybe my fingerprint doesn't work, I pull out my security key, plug it in and I can still go to work. So it gives you this flexibility. - Absolutely, and it's also good in the event you've changed your laptop. So speaking of fingerprint, on my Pixel phone, I could log into eBay, for example. eBay has enabled FIDO2 at point of login on Android. Instead of asking for a password, now I just my fingerprint. - Right, I think the value proposition for FIDO that's really important for people to understand, is we're talking about mixing and matching all of the vendors, all of the hardware. - And it's not just getting rid of, forcing user to enter a password, what FIDO does is fundamentally change that. It has further security for the user and for the service provider that's actually invisible to the user at this point. And a big part of what FIDO does also is protect user privacy. I think it's very important. All my credentials stay local in my device. Whether it's my biometric or a PIN code, whatever it is, that's never transmitted over the internet. It's not sitting on a server, no one has access to that other than the encrypted key on your device. - So one of the things that Microsoft takes very seriously is diversity and inclusion. And we have a lot of work that we do in our products and around the world on accessibility and inclusion. So how do you feel FIDO Alliance helps move us in that direction? - Yeah, when you move to strong authentication, simplicity is really important, right? Especially for like emerging markets or more at-risk, cohorts of society, many these people don't have a password or they're using a device for the first time. So they need to have systems that allow them to securely access identity credentials and online services, without putting them at risk of being phished. - I think the worldwide availability of this is an advantage as well, because you don't have to buy an expensive solution. You can in fact use things like, the hardware that comes with your laptop. - Right now in India, people use SMS OTP to verify log transactions, which has really poor deliverability rate. Almost 80%, but that's still 20% of transactions have a hard time being consummated. And so we have vendors who are now bringing us into market in India, where instead of doing that, you just use the local PIN code on the device. So it's not a biometric, so you don't need a super high end device. The PIN code leveraging the FIDO model is just as good 'cause it's local and it can't be transmitted or stolen. - All of these different authenticators can evolve to meet different markets too, right? - Absolutely, absolutely. A little closer to home, we look at aging population here in the US or kids in the US, right? They have unique needs also and we need to protect these people from getting taken advantage of. And we think that FIDO is one way that they can very easily learn how to authenticate, without having to take on the risk of passwords or getting phished. - Has there ever been a time where this kind of inclusion has hit you personally? - I have two little girls and they're in an elementary school and I walked them in the first day of school this year and everyone got a Chromebook and they're like okay, go to the wall, and there's your name, there's your device, there's your password on the wall. Is it a huge thing? Not necessarily, but it's teaching bad password hygiene, but also it puts them at risk. It's a tough challenge, right? And so the reason why they have that password thing there is because otherwise the kids will forget it. So this goes to like, what's FIDO? How would FIDO do this? I wouldn't trust her school district to share and store my kids' biometrics, let alone most of their data. But with the FIDO authentication approach, they certainly could actually use a biometric on those devices, which are all biometric equipped and log in that way rather than having to have shared passwords across the classroom. - Well I wanted to ask you about something fun. Something you do for a good time around the house. So, tell me what kinds of books you're reading. - So a book I read recently, which resonated with me strongly, was a book called "A Woman of no Importance." It's a story of a woman by the name of Virginia Hall, in the 1930s. She's an American woman from actually a nice family in Baltimore. She had a thirst for adventure. She went to Europe and really found herself in Europe, then the war was coming. She somehow found herself being at the tip of the spear of the resistance against the Nazis. What she did was so successful and it got to the point where she was the number one most wanted spy, being pursued by the Nazis. Amazing story, and she did all this, mind you, on one leg, not to try to bring us back to FIDO, but all of us inside a FIDO Alliance, I think we have a little missionary thing about us, right? I think I'm going back to the diversity inclusion theme. I think the fact that she was a woman held her back. She actually had to fight all the institutional sexism, but after her service, she never really got the recognition she deserved. - Well, thank you so much for spending your time, talking about what we're working on, and I just wanna say on behalf of Microsoft, that we really enjoy working in the Alliance and it feels like this is a big deal. It feels like we are pushing towards a world where we can actually eliminate passwords. - Well, thank you for having me and thanks to Microsoft for the support of the Alliance. I can say unequivocally that without Microsoft's kind of staunch support of FIDO and everything we're doing, not just from a technical standpoint, but from a marketing and branding standpoint, and really helping educate the world about FIDO. Without that support, I don't think we would be as far along as we are. (upbeat music)
B1 US password authentication security microsoft device usb Inside Identity: Moving to a passwordless world with the FIDO Alliance 7 0 Eric Chen posted on 2022/07/01 More Share Save Report Video vocabulary