Identity is a core component of cybersecurity, and as such I tend to pay attention to security breaches and the various exploits that underlie them. The picture is not pretty. Just considering the top 20 breaches in 2018, we see that roughly 2.9 billion accounts were compromised, yielding a mix of personal data, passwords, email addresses, credit card numbers and all the other stuff you might find in an application database. That’s a frightening statistic, but wait, there’s more!
Those numbers come from the IT organizations themselves, and only after they (somehow) found out about them. The folks at 4IQ (www.4iq.com) gather breach data a different way. They look at the identity data that is available for sale and download on the so-called “dark web” and work out what the breaches were that accounted for changes in the supply of stolen identity records. According to the 2019 4IQ Identity Breach Report, there were more than 12,000 identified identity breaches in 2019, adding 3.6 billion new identity records to the approximately 12 billion records already compromised.
I haven’t seen detailed root causes for these breaches, but in general, about 80% of breaches are due to compromised credentials, e.g. usernames and passwords. And the vulnerabilities used to snatch up usernames and passwords are as old and tired as a 4800 baud modem:
- Passwords that are easy to guess
- Passwords reused across multiple accounts
- Passwords laying around in cleartext (digitally, or on bits of paper)
- Passwords that haven’t been changed in years
- Passwords shared amongst several people
- Passwords exposed through software
This isn’t just an issue of compromising consumer data either. Enterprises and other organizations depend entirely on their IT systems for day-to-day business. If an attacker can gain control of critical enterprise IT systems, they can disable them and hold them for ransom. That’s just what happened two years ago to the global shipping company Maersk, and apparently just last week to Norsk Hydro, one of the world’s largest aluminum producers.
No matter how you slice it, passwords are an awful way to secure things. They’re easy to steal, they’re annoying for people to manage, and they don’t do what they are supposed to do, which is secure IT systems. They are the primary vulnerability in our IT world.
Passwords must die.
But what do we do instead? There are two approaches, one well-proven and the other brand new, and they work really well together.
Single sign-on reduces the proliferation of passwords by centralizing credentials in a single service. SSO has been a staple of enterprise IT infrastructure since the introduction of Windows 2000 Active Directory. AD uses Kerberos as its authentication and SSO mechanism, and so long as you build your applications to use Windows authentication, they get SSO more or less for free. But Kerberos is really only workable inside the firewall, and modern web applications rely on SAML 2, or more recently OpenID Connect for authentication. In either case, instead of each application having its own set of usernames and passwords, the applications trust an identity provider service to securely authenticate users and to provide some sort of artifact (e.g. a SAML authentication message or OpenID Connect Id token) describing the authentication event. Many cloud identity providers such as Azure Active Directory and Okta provide web single sign-on using SAML or OpenID Connect, our Cobalt identity platform supports both protocols in on-prem, hybrid cloud, or multi-cloud deployments.
But SSO services still rely on usernames and passwords for authentication. Even though commercial SSO providers generally take good care of your credentials, there are exceptions, the most egregious being the recent revelation that Facebook (who provides SSO services for consumers through the ubiquitous “Login using Facebook” option) had maintained files containing hundreds of millions of user passwords in clear text sitting on their internal file servers. These files were available to any Facebook employee, and had been available going back as far 2012. The potential consequences are catastrophic, and clearly demonstrate that while reducing the number of passwords is good, using SSO is not enough. How do we get rid of passwords completely?
FIDO2 has two really cool properties. First, it avoids passwords entirely by generating a public-private key pair for each application or authentication service. The service gets a copy of the public key, but the private key is securely locked up on the user’s device (PC, or phone, or USB key, or whatever.) The user authenticates to the application or service by demonstrating proof-of-possession of the private key, but the private key never leaves the device. There is no password to steal or to leave laying around in a file.
The second cool property is the user experience. Instead of typing in a password, the user simply has to use some sort of gesture to unlock the private key on the device. Depending on the kind of device and the requirements of the authenticating service, it can be a simple tap to show that a human is present, a PIN, or a biometric scan such as a fingerprint or facial scan. From the user experience perspective, FIDO2 is huge upgrade over passwords.
FIDO2 is a game changer for web authentication. We can now provide a cryptographically strong authentication service to our users that is both easier to use and far more secure than passwords. And combined with single sign-on, we can start eliminating passwords from our IT infrastructure.