Global Group
The Best Partner for You


We create technological value for the prosperous life of our customers.

Support ArticlesStay up-to-date on company and partner news, product tips, and industry trends.

#FIDO #FIDO2.0 Feb 29, 2024
FIDO 2.0's Answer to Credential Vulnerabilities

In an era where digital security is paramount, the persistent reliance on passwords remains a significant vulnerability for enterprises globally. FIDO 2.0 emerges as a timely solution, reimagining credential authorization using available technologies.

Legacy credential systems, rooted in the Internet 1.0 era, increasingly expose organizations to sophisticated AI-backed cyber threats. The 15% increase in attacks against Indian organizations, now averaging 2,138 attempts per week, can largely be attributed to these poorly secured credentials. As companies and industries continue to thrive throughout India and the region, security teams benefit from implementing new credential approaches, such as FIDO 2.0 stands from the very implementation of their networks. 

Despite CISOs and cybersecurity practitioners' efforts in network security, advanced authentication implementation, and staff training on cyber hygiene, it still only takes a single breach to bring operations to a halt.

Changing the credentials status quo

Despite diverse authentication methods, the prevalent use of alphanumeric codes for logins continues to compromise organizational security.

Recent years have particularly highlighted these faults in the Asia Pacific region. This has resulted in:

-    31% of global attacks as its digital transformation continues at a rapid clip across sectors.
-    The most hit sectors were governments, absorbing the brunt of 22% of the attacks
-    49% of all attacks led to the compromise of sensitive information, with 27% of successful attacks disrupting core organization operations. 

This goes beyond the financial and personal burden put on people as they try to understand if their information is compromised. 

In the past, these attacks were successfully conducted by identifying a vulnerability within a system and exploiting it using relevant tactics. However, today companies face two main threats, phishing attacks and device compromise.

Phishing attacks

The Microsoft breach was completely avoidable had they followed the FIDO2 standard, which they offer on their products and even required on their company GitHub. 

It speaks volumes about the harm of relying on legacy credential authentications. With the compromise of a single account through successful phishing attempts, hackers were able to put hundreds of organizations at risk– and the problem is scaling.

AI has significantly scaled and refined the accuracy of phishing attacks. While in the past, it involved blasting our poorly-written emails to many users, today’s attacks bring together AI-crafted messaging together with SMS push notifications and other forms of seemingly unthreatening behavior.
This has lowered the barrier of entry for threat actors, allowing them to wield greater technology without needing to have the technical know-how of how to exploit vulnerabilities. Instead, they can just ask employees to hand over the keys to the kingdom by clicking on a ‘change password’ link, responding to a seemingly harmless text, or putting in credentials to get rid of pesky messages that look just as if they are coming from the company’s IT department.

Once in, the threat actor has full access to whatever the tricked user had– but take note: while within a network, information can be extracted and permissions elevated by curating just the right message with AI once again. This evolution in phishing attacks not only represents a technological shift but also a critical operational risk for organizations.

Implementing FIDO2 removes the risk of a SIM Swap attack, IdP MITM Phishing attacks, Push bombs, OTP MITM attacks, password spraying and lost/reused credentials.

Device compromise

Organizations permitting remote work or personal device use face an additional security layer– unfamiliar devices.

IT operators have always struggled to identify and approve all devices on a network– again relying on usernames, passwords, and perhaps some other alphanumeric authentication technique. The danger lies in the possibility that these two-factor authentication methods may also be compromised alongside user credentials.

Adding to the compilation, single sign-on has grown in popularity, but if a user is compromised, so too are their profiles created across all the tools that they have given access to the single point. Even with examples of organizational approved SSO with a secure environment, no matter how secure those APIs and authentications are, if the front door is still secured with a username, password, and alphanumeric authentication then the risk is still ever-present

Ironically, much of the hardware distributed within organizations already features secure, uncompromisable biometric capabilities. This makes device compromise not just a technical challenge, but a significant operational vulnerability.

FIDO 2.0- Elevating authentication and standards

This failure to evolve login credentials along with other technologies has been acknowledged by Google, Microsoft, Amazon, Apple, and others. To address the security gap and prevent organizations from falling victim to credential attacks, the FIDO alliance created new standards that leverage the existing on-chip security needed to properly authenticate both individual users and the devices they are operating on.

Examples of devices that are already in the workplace today and conform to Fast IDentity Online 2.0 (FIDO) are those that already require some kind of biometric or token authentication. This includes those with facial recognition, fingerprint, or physical device tokens such as a card or NFC wand.

The strength of this system lies in its symmetry between user devices and software authentication. Similar to leading smartphones’ advanced authentication, FIDO 2.0 mandates reciprocal verification by organizations based on established approvals and credentials.

By adding this layer of protection, the username and password combinations that we rely on become only one part of a more complicated authentication process in an organization's overall security posture and a significant hurdle to threat actors.
Securing endpoints and the cloud
As phishing attacks continue to target all users, it’s no surprise that the big prize lies in penetrating corporations. 

Given the availability of these capabilities on corporate devices (and adaptability for older ones), urgent action by management to adopt these standards is essential to prevent potential multi-million dollar crises.

The integration of FIDO 2.0 standards isn't just a technological upgrade; it's a strategic imperative to fortify digital defenses in an increasingly interconnected world.


Why is FIDO2 more secure than Username/Password?

While I explored the inherent weakness in using a username/password authentication, FIDO2 relies on both a stronger authentication process.

To begin, each device or hardware token must be individually enrolled to allow FIDO2 authentication - this is done by creating a public/private key pair. In the case of an iPhone paired with a commercial identity provider like MS Entra ID or OKTA, the user interface will walk a user through this enrollment process. 

How it works under the hood: The public key portion is saved into the web service and assigned to the user identity. On the user device side, the private key is stored within the phone or laptop secure enclave. Upon user authentication to their enrolled web services, the web service prompts for the user for the “Passkey” (the private key stored within the phone or laptop), the user will then be prompted to unlock the device’s secure enclave allowing the private key to be used to complete the challenge/response part of the authentication process. The private key never leaves the device and is much more secure than a traditional username/password. 

Even though usernames and passwords will be used alongside FIDO2 authentication for some time into the future, in a FIDO2 implementation they can not be used without the private key challenge/response piece of the authentication process, this means that if the username/password is lost or stolen, it is of little value and can’t alone be used for authentication.

Source :
By Josh Blackwelder, Deputy CISO at SentinelOne

#password #fido #passkey #MFA Feb 06, 2024
The end of passwords – and how businesses will embrace it

​by Kate O'Flasherty published 2024 Feb 02 


What will the end of passwords look like in practice and what can businesses do to prepare?


It’s widely accepted that passwords are a flawed means of security. People use weak credentials; they can be forgotten, guessed, or exposed in breaches and they’re often reused across services. 

Big tech firms including MicrosoftApple and Google have been moving towards a passwordless future for several years, with solutions such as security keys and more recently, passkeys, starting to take off as part of multi-factor authentication (MFA) setups. 

The FIDO Alliance – which most big tech players are members of – is pushing hard for the demise of the password. But what exactly does “the end of the password” mean, in practical terms?

The idea is to eliminate dependence on passwords as a “primary mechanism for user authentication”, says Andrew Shikiar, executive director and CMO at the FIDO Alliance. In practical terms, this means the end of using knowledge-based “secrets” as the foundation to create, sign in, and recover online accounts, he says. 

“Passwords simply aren’t fit for purpose to protect today’s connected economy. They are too burdensome for humans to manage effectively and too easy for attackers to leverage to hack into corporate networks.”


The end of passwords: Strong alternatives

There are multiple systems that could help usher in the end of passwords, but no one solution is perfect. For example, biometrics can be secure but come with their own downsides, says Michael Jenkins, CTO at ThreatLocker. “Windows uses facial recognition, which can unlock too quickly, so you might walk away and leave your laptop exposed while it’s still unlocked.”

Fingerprint systems are a lot harder to get around, he says. “But the downside is, it may ask for your PIN number instead. These are a lot easier to guess.”

Passkeys, meanwhile, are “a great idea”, but they still need to be implemented across every website and application, says Darren James, a senior product manager at Specops Software. In addition, they can’t be used for initial login to a device and they aren’t very portable unless you store them on a token – which can be lost, broken, or stolen.

Handling passkeys is very different from passwords, says Mark Stockley, senior threat researcher at Malwarebytes. “Both users and support staff are likely to be less familiar with them, which is a speed bump to adoption.”

Yet Shikiar argues that implementing passkeys for MFA is fairly simple and won’t require most businesses to completely overall their pre-existing security processes. This is because the core functionality is built into the majority of end-user computing devices, enterprise software stacks, and identity management services, he says.

“Many organizations are already using identity management solutions such as Microsoft Entra ID, which already has support for these solutions built-in,” concurs Mark Lomas, technical architect at Probrand. 

However, the end of passwords will be easier in some sectors and businesses than in others. It is important to recognize that certain sectors could be forced to continue to use passwords, says Stewart Parkin, global CTO at Assured Data Protection. “Organizations with legacy systems may be challenged in integrating new technologies, while regulatory requirements in certain industries can create the need to continue password-based authentication.”

Software not tied to modern authentication solutions won't be able to take advantage of modern passwordless solutions, or be linked to Entra ID, says Lomas. “It's typically legacy software that will be unable to make the switch. In this case, you'll need to find other routes to add protection, such as hosting the application in a virtual desktop environment like Azure Virtual Desktop and ensuring that access is protected by a passwordless login solution.”


The end of passwords: A future-proof successor

While there are multiple alternatives to passwords, passkeys are the only successor that “has the same availability and ubiquity”, says Shikiar. Therefore, they are the only currently available means to fully replace passwords, he says.

“Passkeys are built on open standards created within the FIDO Alliance and based on tried and tested cryptographic protocols,” says Shikiar. In addition, the technology is supported by all big tech and is device and operating system-agnostic, he says.

Passkeys are “far and away the best password alternative for online authentication”, agrees Stockley. “They are secure, easy to use and the cost of implementation is likely to get lower as they become more widely supported.”

But it’s important to realize that as we approach the end of passwords, replacements will have to compete with passwords which are themselves universally understood and very cheap to implement. “That's really hard,” says Stockley. “They're an authentication standard that dates from an era when managing low computing resources was the priority. Users understand them, support teams know how to support them and developers know how to implement them.”

Taking this into account, while some organizations may eventually go passwordless altogether, for now, many are supplementing passwords with MFA, says Steven Furnell, IEEE senior member and professor of cyber security at the University of Nottingham.

In the future, he predicts a mixed authentication setup will be the main choice for many businesses. “Some systems and services could use traditional passwords, some MFA, and some passwordless.”

Shikiar says there is “no need for any company to hang onto passwords”, but he does concede they will need to be “phased out over time”.  Initially, companies may keep them to help with account recovery until other possession-based factors are established, says Shikiar. If you do decide to make further moves away from passwords, the transition will depend on the organization, says Shikiar. “Many will have disparate legacy systems to grapple with, while for others it is more straightforward.”

When taking the plunge, Shikiar recommends a prioritization exercise. “Discover those systems that can migrate most easily and are most urgently in need of higher security.”

Transitioning from a password-centric security model requires a systematic approach, says Parkin. Organizations should begin with a comprehensive assessment for risk management, followed by pilot implementations in less critical areas, he says. “The integration of multi-factor authentication as an interim step can pave the way for a more seamless transition.”


Businesses can also take a “privileged user” approach by identifying employees with access to sensitive applications, and examining who is the most vulnerable to attacks, says Shikiar. “Migrate these users to phishing-resistant authentication as soon as possible and from there, you can start to work your way across the wider employee base.” 

Forum Questions Future of Digital Identity, Path Forward

Panelists at a recent policy forum said passkeys with detection-enabled biometrics make for a more secure online future, but accessibility and digital equity concerns must be addressed.

January 29, 2024 • 



With data breaches that compromise personal info soaring — 2023 was a record year in the U.S., one report found — new methods of verifying identities are almost certainly on their way.

These will avoid reliance on passwords, Social Security numbers or other knowledge-based methods, thus helping diffuse the danger of stolen personally identifying information, said several panelists during a recent policy forum co-hosted by the Identity Theft Resource Center (ITRC).

“The era of reliable identity verification based solely on knowledge and personal information is over,” said forum speaker, Caitlin Clarke, senior director for cybersecurity at the White House’s National Security Council.

Finding reliable and secure ways to verify identities online is an issue of increasing importance for state government. It touches many areas of modern state government work, from stopping unemployment insurance fraud to keeping children from accessing adults-only content online. A growing number of states are also exploring whether digital, mobile drivers' licenses (mDLs) can bolster privacy.

This all makes new methods of verification vital. One is multifactor authentication, which is more secure than passwords alone, said FIDO Alliance Executive Director Andrew Shikiar, but he argued that passkeys are more secure yet, and strong enough to stand alone as a factor. Passkeys synced across devices via the cloud can also provide a smoother user experience, because people don’t have to re-enroll each separate device in the authentication method, and may bypass problems such as a user physically losing devices.

Individuals use passkeys to approve the login attempt on their devices by entering the same PIN or biometric they use to unlock that device, per the FIDO Alliance. Speakers also homed in on the potential benefits of biometric authentication and identification.

ITRC Chief Operating Officer James Lee advocated facial comparison-based user verification, which he emphasized was different from facial recognition. According to the ITRC, the key difference is that facial comparison compares a person’s selfie or live image against the photo of them on their ID, whereas facial recognition compares a face to those in a database of many faces.

But biometric checks must be handled carefully.

For one, checks must include liveness detection otherwise the system can be tricked, said Stephanie Schuckers, director of Clarkson University’s Center for Identification Technology Research. That means using sensors, accelerometers or challenge-and-response interactions to confirm it’s a real person, not a photo, video or deepfake.

Accessibility is a key concern, too. Not everyone has a smartphone or other device suited to capturing biometrics, Lee said.

Some cautioned against using biometrics as a primary solution, noting organizations must plan against something going wrong and collect only as much data as absolutely necessary. Otherwise the details they store could become a honeypot for hackers.

Schuckers said using approaches like the FIDO protocol enables biometric information to remain on users’ devices, avoiding organizations storing that information themselves.

Organizations can use still more methods too. The Social Security Administration (SSA)’s electronic Consent-Based Social Security Number Verification System is one example. It lets individuals permit a bank to contact the SSA to verify that identity details match those on file, said Jeremy Grant, coordinator for the Better Identity Coalition.

That model could be applied more widely, beyond just the financial sector. Grant’s Better Identity Coalition released a new report detailing policy recommendations and assessing government’s efforts thus far. The report praised federal promotion of multifactor authentication, but said the U.S. needs to do more to develop systems for digitally proofing identities across all sectors.

The report also urged the White House to create a task force of state, local and federal agencies focused on closing gaps between physical and digital credentials. The coalition urged federal agencies to ramp up efforts to create standards and guidance that could help states debut “remote identity proofing applications” for digital credentials like mDLs, as well as provide states with grant funding. Grant also praised mDLs programs, while advocating increased focus on using them to support online verifications.

The Better Identity Coalition’s report also cautioned that efforts to promote digital identity must not overlook the challenges of people who struggle to get core, physical ID documents.

Ben Roberts is director of Foundry United Methodist Church’s Social Justice Ministries, which runs an ID Ministry program helping community members get identification documents. Roberts said during the panel that people who are homeless often have their documents destroyed or stolen. And replacing documents can be difficult due to the fees, transportation and long wait times.

Still, plenty of trust-building may need to happen before residents are comfortable with government retaining and vouching for their ID data


[source:government technology. 2024.Jan.29 Jule Pattison-Gordon]


FIDO Alliance study reveals growing demand for password alternatives as AI-fuelled phishing attacks rise


Increased desire for biometrics and awareness of passkeys increases imperative on service providers to enable stronger, more user-friendly sign-ins

  • Password usage without two-factor authentication (2FA) is still dominant across use cases – consumers enter a password manually nearly 4 times a day, or 1,280 times a year

  • But when given the option, users want other authentication methods – biometrics is both the preferred method for consumers to log-in and what they believe is most secure, while awareness of passkeys continues to grow

  • Online scams are becoming more frequent and more sophisticated, likely fuelled by AI – over half (54%) have seen an increase in suspicious messages and scams, while 52% believe they have become more sophisticated

  • The impact of legacy sign-in methods is getting worse – the majority of people are abandoning purchases and giving up accessing services online – this is 15% more likely than last year at nearly four times per month per person

The FIDO Alliance today publishes its third annual Online Authentication Barometer, which gathers insights into the state of online authentication in ten countries across the globe. New to the Barometer this year, FIDO Alliance has also begun tracking consumer perception of threats and scams online in a bid to understand anticipated threat levels globally.

The 2023 Online Authentication Barometer found that despite widespread usage of passwords lingering on, consumers want to use stronger, more user-friendly alternatives. Entering a password manually without any form of additional authentication was the most commonly used authentication method across the use cases tracked – including accessing work computers and accounts (37%), streaming services (25%), social media (26%), and smart home devices (17%). Consumers enter a password manually nearly four times a day on average, or around 1,280 times a year. The only exceptional scenario to this trend was financial services, where biometrics (33%) narrowly beat passwords (31%)* as the most used sign-in method.

This is especially interesting considering biometrics’ rising popularity as an authentication method. When asked what authentication method people consider most secure and the method they most prefer using, biometrics ranked as favourite in both categories, rising around 5% in popularity since last year. This suggests that consumers want to use biometrics more but don’t currently have the opportunity.

“This year’s Barometer data showed promising signs of shifting consumer attitudes and desire to use stronger authentication methods, with biometrics especially proving popular. That said, high password usage without 2FA worryingly reflects how little consumers are still being offered alternatives like biometrics, resulting in lingering usage,” commented Andrew Shikiar, Executive Director and CMO of the FIDO Alliance. 

Marketing Technology News: Aidentified Launches Data Insights Scan (DIScover), a Snowflake Native App in the Data Cloud

Scams are getting more frequent and more sophisticated – likely fuelled by AI 

This year’s Barometer also unearthed consumer perception of threats and scams online. 54% of people have noticed an increase in suspicious messages and scams online, while 52% believe these have become more sophisticated.

Threats are seen to be active across several channels, but primarily email, SMS messages, social media, and fake phone or voicemails. The increased accessibility of generative AI tools is a likely driver of this rise in scams and phishing threats. Tools like FraudGPT and WormGPT, which have been created and shared on the dark web explicitly for use in cybercrime, have made crafting compelling social engineering attacks far simpler, more sophisticated, and easier to do at scale. Deepfake voice and video are also being used to bolster social engineering attacks, tricking people into thinking they are talking to a known trusted person.

Shikiar added: “Phishing is still by far the most used and effective cyberattack technique, which means passwords are vulnerable regardless of their complexity. With highly accessible generative AI tools now offering bad actors the means to make more convincing and scalable attacks, it’s imperative consumers and service providers listen to consumers and start to look at non-phishable and frictionless solutions like passkeys and on-device biometrics more readily available, rather than iterating on ultimately flawed legacy authentication like passwords and OTPs.” 

Passkeys, which provide secure and convenient passwordless sign-ins to online services, have grown in consumer awareness despite still being live just over a year, rising from 39% in 2022 to 52% awareness today. The non-phishable authentication method has been publicly backed by many big players in the industry – Google recently announced that passkeys are now available for all its users to move away from passwords and two-step verification, as has Apple, with other brands like PayPal also making these available to consumers in the last twelve months.

The impact of legacy sign-ins worsens for businesses and consumers 

The negative impact caused by legacy user authentication was also revealed to be getting worse. 59% of people have given up accessing an online service and 43% have abandoned a purchase in the last 60 days, with the frequency of these instances rising year on year to nearly four times per month, per person, up by around 15% on last year. Poor online experiences are ultimately hitting businesses’ bottom lines and causing frustration among consumers.

70% of people have had to reset and recover passwords in the last two months because they’d forgotten them, further highlighting how inconvenient passwords are and their role as a primary barrier to a seamless online user experience. 


Original Article


Meet TrustKey’s expert.


TrustKey Co.,Ltd./Address : (06236) 2F, 14, Teheran-ro 22-gil, Gangnam-gu, Seoul, Republic of Korea
Tel : +82-2-556-7878 Sales : / Technical : / Fax : +82-2-558-7876

Copyright © 2020 TrustKey. All Rights Reserved.