Raising the standards of authentication

By Andrew Shikiar, Chief Marketing Officer and Executive Director at FIDO Alliance

Cybersecurity ranks among the Top 5 global risks and reducing cyber-risk exposure has become a priority for business leaders, according to the World Economic Forum’s 2019 Global Risks Report.

In Singapore, while public and private sector organizations have been keeping pace putting in place the best infrastructures and adopting the latest technologies to deal with cyber threats, humans often remain one of the weakest links in cyber defense.

Recently, in what has been called the worst data breach incident in Singapore, a staff member at one of the largest healthcare organizations in Singapore failed to identify and block unauthorized online communications with a server when he was inspecting a workstation. This lapse allowed for the theft of confidential personal data of 1.5 million patients, including data belonging to the country’s prime minister.

Healthcare sector must enhance security measures

Experts say SMS-based two-factor authentication is not the best option to secure online accounts

A probe after the incident also revealed that weak administrator passwords, combined with staff falling prey to phishing attacks and lack of a cybersecurity patch, was partly to blame for the data breach incident.

Somehow, people continue to be complacent about cybersecurity despite the many initiatives in place to raise awareness and educate on prevention, protection as well as mitigating risks. For instance, the latest public awareness survey by the Cyber Security Agency (CSA) reported that one in three respondents last year continued to either store their passwords in their computer; write them down; and also use the same password for work and personal accounts.

Data protection and regulation

Businesses and corporations need to be as serious with guarding our digital identity and authentication. Just like how the General Data Protection Regulation (GDPR) is being enforced to protect our personal data, we need to have regulations and standards in place to authenticate digital identities

The GDPR is a set of rules introduced in 2018 that applies to all European Union member states that are designed to give citizens more control over their personal data. Under GDPR, organizations have to ensure that personal data is gathered legally and under strict conditions. They are also obliged to protect the data from misuse and exploitation, respecting the rights of data owners. A GDPR violation can mean serious penalties — a fine of up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.

Most likely due to a ripple effect from GDPR, several ASEAN countries have taken major steps to review their own data protection laws and developed similar regulatory frameworks to protect their citizens and enable local businesses to operate globally. Just recently, Thailand joined Singapore and Malaysia to enact their own version of a personal data protection law.

Similarly, we need to have some form of regulations or at least a set of standards for identity authentication. This is especially crucial as we increasingly rely on connected devices and live our lives online — doing everything from banking, learning, socializing, and of course, working using the internet — identifying who is on the other end of the line is of utmost importance.

Relying on passwords as the primary means for authentication no longer provides the security or user experience that consumers demand. However, accelerating the adoption of sophisticated authentication methods will require industry stakeholders to commit to developing and deploying technical standards and established best practices. It is also crucial that we have the involvement and support of industry authorities and regulators.

The technology industry has come together to address the issue and formed the FIDO (Fast Identity Online) Alliance. This is a non-profit industry association where technology industry partners work together to establish standards and regulatory-aware implementation best practices for strong authentication.

At the core of the FIDO Authentication is the use of public-key cryptography techniques to provide stronger authentication. At the point of account registration on an online platform that utilizes FIDO standards, the user’s device (e.g., mobile phone) creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the user’s device proving possession of the private key to the service by signing a challenge.

When the user returns to the site or app, he verifies himself through a simple gesture such as swiping a finger, entering a PIN, speaking into a microphone, or by inserting or pressing a button on a second–factor device. These gestures are performed on devices that are literally in the hands of the vast majority of consumers every day such as mobile phones, wearables, PCs, and security keys.

FIDO has charted a path forward that provides standards-based, cryptographically secure authentication that keeps login information secure and private while providing fundamentally better user experience. This approach also reduces authentication risks for service providers as it limits their downstream exposure in the event of a data breach.

Password-less future

While it may not be realistic (nor necessary) to expect organizations to eliminate all passwords overnight, this most certainly is the direction in which we should collectively be steering. Tangible steps should be taken to replace dependence on passwords with more secure authentication mechanisms that are protected by encryption systems.

Universal specifications such as those from FIDO Alliance and the W3C facilitate the secure integration of these modern authentication mechanisms to a rich ecosystem of products and services — fundamentally changing the cyber threat landscape and assisting in closing attack vectors.