top of page
Writer's pictureMarcia Klingensmith

Cybersecurity, no more user names and passwords

Security technology has and protecting customers’ identity, grown increasingly important over the last 20 years. Identity devices are embedded in everything from passports to wearables, to metering and other industrial controls. As things get networked, they become more vulnerable, and need more security. NXP is the biggest player in protecting the network.


It is no longer necessary to have a physical methods to access to access things, for example no longer do we need to use a badge to access an office building, with today’s technology access via identity recognition can be integrated into wearables and other devices, or use biometrics such as retina scans and fingerprints. Cars have keyless entry, a user can approach their car with the keys in their pocket, and a Bluetooth transmission unlocks the car door as they approach, without the need to physically touch the car.


Payments also have evolved. Contactless payments started with public transportation. People don’t like to wait in lines; most people carry phones and access a network, so payment methods using NFC (Near Field Communication) technology were developed to help customers move through the public transit system quicker. In the first iterations the phones needed a chip, sticker or other method to enable NFC. With newer phones NFC and payment capabilities are already built into the devices, and now, payments are moving from cards to wearables, for example with Apple Pay a customer can do a payment transaction with their phone or watch.


Online accounts, most residing in the cloud, are the access points to many things – from your bank account, to your home, to your multi-media platform. Consumers have many online accounts, and many of them require the user to set up of a user name and password. Getting frustrated trying to remember them all, the same ones will be reused over and over again making them vulnerable to hacks and attacks. In fact there are still an amazing number of databases where user names and passwords are exposed, easy for hackers to steal.


Changing passwords on these accounts also have their points of vulnerability as well, as the updated password has to be passed through the entire technology ecosystem – from chips, devices, to cloud services and IoT. Everything is connected, and it is hard to make sure the userID and password are safely updated from one end of the connected network to the other end.


As a way to address these concerns, the FIDO Alliance came up with the idea of a better way to protect these online accounts and make them more secure by avoiding the need for user IDs and passwords by tying the access to the account to something that is physical located on or near a person, maybe fitting in a pocket, using a combination of physical and logical resources.


One of the goals of the FIDO Alliance was to devise a security method that avoided the need for usernames and passwords. They created a set of technology-agnostic security specifications that standardize the authentication protocol used between the client and the online service by leveraging a standard public key cryptography- a client registers the public key with the online service at initial set up.


The concept is that by moving security to a physical asset that stays with the user – a button, an object in the user’s pocket, a fingerprint you have an authentication method that is difficult to hack. One key can be used for multiple services – you just need to register the key for each thing that you want it to give you access to.


In order to support the newer authentication methods, there are a lot of components that need to be updated to take advantage of the FIDO standards, from device support, to browser support, operating systems, and cloud services, in addition to the apps that are doing the authentication.

The most important aspect about this type of security, is that the authentication method (i.e., the fingerprint) should NOT be housed in a central repository where it becomes vulnerable to attack, the user should be the only one to have access to the authentication method. Keeping the method with the device on the user makes it less vulnerable.


Some Apple iPhones are already using the FIDO protocol, Samsung, Android, and HTC are all adopting the FIDO standards, in fact, Samsung uses the FIDO protocol with Alipay and Paypal. In Japan, retina and fingerprints are used to access services. As bigger players start implementing the FIDO standards, like Bank of America with the recent launch TouchID, as an authentication method for its banking application, and we’re sure to be seeing more and more players leveraging the technology as well.


10 views0 comments

Comments


bottom of page