Inside Identity（Inside Identity: Moving to a passwordless world with the FIDO Alliance）

Subtitles section Play video

(upbeat music)
- Hi, I'm Pamela Dingle, Director of Identity Standards
at Microsoft and I'm here today to talk to Andrew Shikiar.
He is the Executive Director and CMO at the FIDO Alliance.
Andrew, it's really great to have you here.
- Thank you, it's very nice to be here.
- So tell me what FIDO stands for.
- So FIDO stands for Fast IDentity Online
and FIDO Alliance is a standards organization
that's creating open standards for better,
simpler, stronger user authentication.
In general, what you find is a number of competitors,
in any space or collaborators
see the need to work together
on a piece of technology
that's really core to all their businesses,
where it makes more sense to collaborate
than try to differentiate.
And so when FIDO was formed,
there was a data breach challenge which persists today.
And what FIDO's founders realized
is that the core problem associated with data breaches
comes down to user authentication.
So you know, a dependence on passwords,
a dependence on shared secrets that sit on a server.
And so what FIDO is fundamentally trying to do,
is change the way people authenticate
from one that is server-side shared secrets,
to a model where consumers
and users can authenticate locally
to devices that they use every day.
- You talk about asymmetric public-key cryptography.
How does FIDO match that super fancy cryptography
with something people can use?
- There are two main ways of authenticating users, right?
So one, the traditional way of passwords
or shared secrets, has both usability and security problems.
So it's funny when I travel
and I talk to people about passwords
and I say we're trying to get rid of passwords
as part of what we're doing,
no one's ever said that's a bad idea, right?
I think all of us as consumers and as users,
can understand the challenge of passwords.
The key thing to understand
is that this data sits on the server, right?
Anything on a server can be spoofed, it can be hacked,
it's susceptible to phishing.
The other problem associated with this kind of password
is that once they're stolen, they can be reused.
There's a massive market out there
for used credentials on the dark web
and that leads to something we call credential stuffing.
The statistics around stuffing are staggering.
For ecommerce sites, up to 90% of attempted logins
are stuffed logins.
Stuffing are at least over 95% of account takeovers.
- What exactly is credential stuffing?
- So that's when someone goes on the dark web
and buys a username-password combination, right?
So we hear about these massive data breaches,
like the Yahoo data breach for example,
and I was one of those 3 billion identities that was stolen.
And you know, the damage to me from Yahoo,
doesn't really matter, right?
At worst they could do
is like mismanage my fantasy football team.
But the real damage is,
if I use that same username, password on my bank
or on other sites.
And the scary thing is there's around
a one to two percent success rate, right?
So you're talking about billions
of stuffing attempts per day with,
say even 1% success rate.
That's a massive number of successful logins
that that shouldn't be happening.
Which is why it's costing US businesses alone
over $5 billion a year.
- If you use the same password for your bank
as you use for anything else,
you should go change it right now.
- So there's basic password practices,
which Microsoft does a good job of articulating
and educating people on.
Any MFA, right?
Any sort of MFA, even SMS OTP,
which we'll talk about in a second,
eliminates 99% of account takeover.
- An MFA is multifactor authentication,
and the whole idea is it's not just one thing.
If you use a password, you're using a thing you know,
that's only one, what we call a factor.
With multi-factor authentication,
you can use something you know or something you have,
you know, your phone for example.
And then the other one is something you are,
which is biometrics, meaning you're gonna use your face
or your thumbprint, stuff like that, right?
- So FIDO is solving the problem by creating standards,
as we're creating the standards
for FIDO authentication, right?
So again, it leverages that that big word,
asymmetric public-key cryptography.
But what that really means is that
instead of putting a password on a server,
we use a key pair, and it's called a private key,
which sits with you on your device and a public key,
sits on a server.
Unlike a password, the public key has no material value.
All right, so some hacker comes in
and steals a whole raft of public keys.
There's nothing that could be done with those.
And now when I go to log in,
once I'm set up in the FIDO account, I have to unlock,
basically activate the private key on my device
and I can do that by a biometric
or any sort of way of verifying myself to my device,
which I can uniquely do,
and then that key pair can be matched.
There's a lot of data exchange in that interchange
that's unique to the website, unique to the private key,
that makes it such that only you,
with that device can log into that site.
- I mean, this is sort of the "Holy Grail"
of authentication.
It should be easy for the user and it should be really,
really difficult for the hacker.
And that of course does not happen with passwords.
Passwords tend to be really hard for users
and really easy for hackers.
- So if you look at this from a business standpoint,
you know passwords are a liability, right?
So you're basically managing,
if you're managing consumer identities,
managing tens or hundreds of millions
of very valuable pieces of information which are at risk,
they're sitting on a server.
So that's a major liability.
There's also a usability issue for businesses.
If people can't remember a password,
passwords lead to like half of shopping cart abandonments.
So that's money on the table that you're not getting,
'cause people can't log in.
For consumers, the risk is identity theft,
account takeover, bad charges, all the negative things
that happen when your identity is stolen.
And then you know, you look at new form factors, right?
So I just redid my house,
and I have all these smart TVs,
I'm trying to log in to smart TVs
and remembering my passwords,
'cause it's all password based.
I can remember my passwords
'cause I have my own approach to it.
But then entering it with remote controls is like
the Seventh Realm of Hell.
- It's terrible (chuckles).
- It's horrible.
It's a bad experience, right?
So again, trying to simplify the user experience
while providing a more secure user experience
is really what FIDO's very much focused on.
- I mean we've talked about public-key cryptography
and all this great sort of thing,
but what is it that users actually get to see
and do that is so much better than passwords?
- Consumers have gotten accustomed to using a biometric
on a device every day, right?
For at first it was unnatural
to unlock your phone with a thumbprint
rather than tapping in a passcode.
Or also sometimes in enterprise, you'll get a security key.
They come in a number of form factors
from a USB key to NFC cards, whatever it may be,
that allows you to use that as a second factor
or as a primary source of logging in as well.
- I mean, that sounds great, but I'd love to see one,
do we have any here?
- As a matter of fact, we do.
- Wow!
- I travel with a pocket full of security keys
out of best practice.
These are some examples of these.
So this is a USB transport.
- Let me see, I will play hand model.
- This one actually uses a FIDO certified mark,
which I like them doing.
So we certify these devices,
to show that they truly do inter-operate with each other.
So this is a FIDO2 security key.
It has both the USB where you just have to touch it,
and it also has a biometric scanner too.
- So it literally doesn't work
unless you scan your fingerprint?
- Correct, correct.
So it's an even higher level of authentication
than just proving presence.
- That's great.
- This one is a Bluetooth model.
It supports Bluetooth and I think NFC.
You just click it.
- So basically you don't have to plug this in obviously.
So you would pair it with your laptop
and then it would just magically ask you to touch it.
- They ask you to insert or activate your FIDO security key.
In this case, you just press that button.
That'll communicate via Bluetooth to your laptop
or your tablet or your smartphone.
Speaking of smart phones, this one has a USB-C,
which is good for modern laptops,
but also for a lot of Android devices these days,
or any device that has USB-C power.
Whereas initially, I think it's fair to say,
that the security keys are primarily used
on the desktop in the enterprise.
What we're seeing now is these innovations
to bring security keys to mobile phone users
and device users as well.
- I don't know if you can see this,
but there's these little touchpoints on either side.
The whole idea is you always have
to have a human gesture in FIDO.
So it can't just be all computers.
There has to be a human element.
So you plug it in, and then when you're prompted,
you just touch the side and then you're logged in.
- And last but not least, this is, I love this one.
This could also serve as a employee badge.
You have a badge, it gets you in the door,
but he can now have that same badge
that gets you in the door,
it can also be your FIDO security key.
So, communicating by NFC or Bluetooth to your laptop
as a security key.
There's even like a little USB thing
that's fixed in there as well.
It's an incredibly--
- Is this awesome or is this it's awesome?
- It's awesome, so you think about perimeter security,
logical security, access security,
all those things are built into one key.
This is a tiny sampling.
We have over 600 FIDO certified products on the market.
And depending on your use-case
or your company's use-case,
you can bring a blend of these into the enterprise.
- What we love about it at Microsoft is that,
we can get out of the business
of making authenticators, right?
We can build to a standard
and then the standard allows
anyone who wants to build something to be enabled.
So for us we feel like it fosters innovation by being open.
- It all comes back to the benefit of standards
and collaboration.
- Microsoft participates, Google participates,
Apple participates, all of these big companies.
So how do they work together to make this happen?
- Starts with specifications, right?
So we have technical specifications
that underlie FIDO authentication.
The specifications are developed mutually
amongst these large companies
and then they're ratified and eventually,
we test products on top of that
through the Inter-op Certification Test.
- I know on the part of Microsoft,
we feel like FIDO Alliance is incredibly strategic to us,
for this very reason that you can't replace passwords
with one proprietary solution.
If we're gonna change the way
that people represent themselves online,
we have to do it across the board.
It has to work everywhere all the time.
And so you should be able to log in on an Apple computer
to authenticate to a Microsoft service
that then takes you across on Google browser
and maybe uses an additional key
made by a small manufacturer
that happens to make the right kind
of security paradigm work for a customer.
And certainly for Microsoft,
we really believe in getting the world
to a place where they can use anything they want,
anytime they want and anywhere they want.
- Absolutely, and there's a commitment, right?
It's not just a financial and a verbal commitment,
but there's a product commitment.
So last year, in 2019,
we saw major platforms start to support FIDO and FIDO2.
Right, so led by Microsoft with support of FIDO2
in Windows Hello.
We know that any windows 10 PC
now has FIDO capabilities built in.
It's amazing. - So great.
- Android, so Google making Android,
you know the same thing basically.
So any Android 7.0 or later handset,
can serve as a FIDO authenticator.
So both these instances, that means
that when the service provider supports FIDO,
they could allow me to authenticate
with the platform authenticator,
with that biometric on my PC,
with that biometric on my Android phone.
- Right, it's collaborative security.
That's what I love about it.
- Absolutely.
- We use standards so that there's no advantage either way
for anyone, but everyone can participate.
- All right, so now we have billions of devices
that are FIDO capable.
We have every web browser now is FIDO capable.
And I think our next challenge as an organization
is enabling deployments, right?
So best practices for how you deploy to consumers?
- I would love to see what this might look like.
These are cool.
- Yeah, they're cool.
- How do they work?
- One example would be like Google services,
which has long supported FIDO authentication.
When I go to login to Google,
I'm then prompted to show my security key.
And my security key can be any of these things.
So if I take this USB key, for example,
I just insert this in the USB port
and I touch this to prove that I'm physically present
with that device.
- So I brought my key, this is the one I use every day.
So you can see it's a slightly different key
from the ones we've seen.
So every morning I open my laptop,
use my finger on the reader and I go to work.
Nothing gets in the way,
I don't have to pull anything out of my bag,
but the one time maybe my fingerprint doesn't work,
I pull out my security key, plug it in
and I can still go to work.
So it gives you this flexibility.
- Absolutely, and it's also good
in the event you've changed your laptop.
So speaking of fingerprint, on my Pixel phone,
I could log into eBay, for example.
eBay has enabled FIDO2 at point of login on Android.
Instead of asking for a password, now I just my fingerprint.
- Right, I think the value proposition for FIDO
that's really important for people to understand,
is we're talking about mixing
and matching all of the vendors, all of the hardware.
- And it's not just getting rid of,
forcing user to enter a password,
what FIDO does is fundamentally change that.
It has further security for the user
and for the service provider
that's actually invisible to the user at this point.
And a big part of what FIDO does also
is protect user privacy.
I think it's very important.
All my credentials stay local in my device.
Whether it's my biometric or a PIN code, whatever it is,
that's never transmitted over the internet.
It's not sitting on a server, no one has access to that
other than the encrypted key on your device.
- So one of the things that Microsoft takes very seriously
is diversity and inclusion.
And we have a lot of work that we do in our products
and around the world on accessibility and inclusion.
So how do you feel FIDO Alliance helps move us
in that direction?
- Yeah, when you move to strong authentication,
simplicity is really important, right?
Especially for like emerging markets or more at-risk,
cohorts of society, many these people don't have a password
or they're using a device for the first time.
So they need to have systems
that allow them to securely access identity credentials
and online services,
without putting them at risk of being phished.
- I think the worldwide availability of this
is an advantage as well,
because you don't have to buy an expensive solution.
You can in fact use things like,
the hardware that comes with your laptop.
- Right now in India, people use SMS OTP
to verify log transactions,
which has really poor deliverability rate.
Almost 80%, but that's still 20% of transactions
have a hard time being consummated.
And so we have vendors who are now bringing us
into market in India, where instead of doing that,
you just use the local PIN code on the device.
So it's not a biometric,
so you don't need a super high end device.
The PIN code leveraging the FIDO model is just as good
'cause it's local and it can't be transmitted or stolen.
- All of these different authenticators
can evolve to meet different markets too, right?
- Absolutely, absolutely.
A little closer to home,
we look at aging population here in the US
or kids in the US, right?
They have unique needs also
and we need to protect these people
from getting taken advantage of.
And we think that FIDO is one way
that they can very easily learn how to authenticate,
without having to take on the risk of passwords
or getting phished.
- Has there ever been a time
where this kind of inclusion has hit you personally?
- I have two little girls
and they're in an elementary school
and I walked them in the first day of school this year
and everyone got a Chromebook and they're like okay,
go to the wall, and there's your name, there's your device,
there's your password on the wall.
Is it a huge thing?
Not necessarily, but it's teaching bad password hygiene,
but also it puts them at risk.
It's a tough challenge, right?
And so the reason why they have that password thing there
is because otherwise the kids will forget it.
So this goes to like, what's FIDO?
How would FIDO do this?
I wouldn't trust her school district to share
and store my kids' biometrics, let alone most of their data.
But with the FIDO authentication approach,
they certainly could actually use a biometric
on those devices, which are all biometric equipped
and log in that way rather than having to
have shared passwords across the classroom.
- Well I wanted to ask you about something fun.
Something you do for a good time around the house.
So, tell me what kinds of books you're reading.
- So a book I read recently,
which resonated with me strongly,
was a book called "A Woman of no Importance."
It's a story of a woman by the name of Virginia Hall,
in the 1930s.
She's an American woman
from actually a nice family in Baltimore.
She had a thirst for adventure.
She went to Europe and really found herself in Europe,
then the war was coming.
She somehow found herself being at the tip of the spear
of the resistance against the Nazis.
What she did was so successful
and it got to the point
where she was the number one most wanted spy,
being pursued by the Nazis.
Amazing story, and she did all this, mind you, on one leg,
not to try to bring us back to FIDO,
but all of us inside a FIDO Alliance,
I think we have a little missionary thing about us, right?
I think I'm going back to the diversity inclusion theme.
I think the fact that she was a woman held her back.
She actually had to fight all the institutional sexism,
but after her service,
she never really got the recognition she deserved.
- Well, thank you so much for spending your time,
talking about what we're working on,
and I just wanna say on behalf of Microsoft,
that we really enjoy working in the Alliance
and it feels like this is a big deal.
It feels like we are pushing towards a world
where we can actually eliminate passwords.
- Well, thank you for having me and thanks to Microsoft
for the support of the Alliance.
I can say unequivocally
that without Microsoft's kind of staunch support of FIDO
and everything we're doing,
not just from a technical standpoint,
but from a marketing and branding standpoint,
and really helping educate the world about FIDO.
Without that support,
I don't think we would be as far along as we are.
(upbeat music)