Last week, I received an invitation from a new cloud-related community forum:
We’ve identified you as a thought leader and would like to give you a chance to join us and start benefiting from the collective insights of over 15k other IT decision makers while building your professional network and strengthening your reputation.
The embedded link led me to a web-page which boldly stated “Powered by Gartner” under their logo. The Sign Up page, however, led me to LinkedIn’s password-login page. The site was, obviously, using LinkedIn as an Identity Provider (IDP) to authenticate users and learn about them from LinkedIn’s trove of user-data. My response to the Community Manager who sent the invitation:
As much as possible, I am restricting myself from signing up at new sites that do not use FIDO protocols for authenticating users. When your site has a FIDO-based sign-up on its landing page, please let me know.
There was no response from the Community Manager. I forwarded the e-mail thread to 10-12 people at Gartner who I’m professionally connected with, and asked the following:
Considering that Gartner is used by thousands of companies for advice on many things related to IT, should Gartner not be setting an example to the industry-at-large?
But, then again, one has to wonder whether the IT industry is lost and is itself causing one of the biggest problems on the internet today – some of the world’s largest companies that do support FIDO do not mention that they support FIDO on their sign-up page; so what hope should we have for those who are either ignorant of FIDO or choose not to support FIDO for their own selfish reasons?
There was no response from anyone at Gartner.
Doing an ad hoc survey of the Registration/Login pages of 5-6 of the best-known IT Analyst websites, I saw the same technology in use to protect access to their sites: Userid and Passwords (shared-secrets).
We are in the 21st century. We’ve left radio-valves, rabbit-ear antennas, rotary phones and crank starters behind in the 20th century where they belong. We have rockets that go into space and come back intact; self-driving cars; more computing power in our pockets than the mainframe from 50 year ago – and yet the very companies on whom thousands of enterprises and government agencies rely upon for advice on how to navigate the complexity of information technology, chose to protect their internet-facing sites with a 50-year old technology that can, potentially, be hacked by script-kiddies.
FIDO protocols have been a standard for two years. More than 300 companies have chosen to get behind this resurgence of public-key cryptography for strong-authentication. 125 products have been certified – including an enterprise-scale open-source server from yours truly – and yet, the market – and the analyst companies – hesitate to implement the one control that can stop password-breaches, phishing attacks and account hijacks dead in its tracks. Excuses abound – but I’ll spare you those.
I’ve recently realized that analysts may be responsible for some of the confusion and hesitancy in the marketplace.
When this author started building Public Key Infrastructures in 1999, the accepted definition of strong-authentication in the security community was:
- A public-private key pair;
- Generated and stored on a cryptographic hardware device (preferably FIPS 140 certified);
- Protected by a password or PIN known only to the user; and
- All combined for Client Authentication with the Secure Socket Layer (SSL) protocol to a website or application.
Recent conversations suggest the industry is under the misconception that possession of any two of the following represents strong-authentication:
- What you know (a shared-secret: such as a password, phrase or a PIN);
- What you are (a shared secret: the biometric template);
- What you have (a device, most likely, embedded with a shared secret or an OTP to your mobile phone)
This author presented a peer-reviewed paper at the NIST IDTrust Conference in 2008, attempting to quantify the protection levels of different forms of authentication (much like Moh’s scale of mineral hardness). On a scale of 0 to 10, a shared secret – or a combination of shared secrets – came in at 2 or, at best, 4 if external hardware was in use to store the shared-secret. FIDO protocols, when used with hardware containing secure elements, would come in between 7 and 8 – higher than smartcards with digital certificates – similar to those issued by the US Department of Defense, the US Federal Government and dozens of countries with National ID cards in the EU and Asia.
To the extent the analyst industry – and their enterprise and government customers – are under this misconception, it is unlikely that FIDO deployments will permeate the internet – leaving them vulnerable to embarrassing breaches on a regular basis.
To the extent the world’s largest websites that currently support FIDO protocols for strong-authentication (the 1999 definition) choose not to mention it on their Sign Up/Login pages, consumers are unlikely to learn they can protect themselves with authentication technology for as little as ten (10) US dollars – little more than the price of a latte at a coffee shop.