Moving Past the Relics of Password-Secured Credentials with FIDO 2.0

Josh Blackwelder

By Josh Blackwelder, Deputy CISO at SentinelOne

In an era where digital security is paramount, the persistent reliance on passwords remains a significant vulnerability for enterprises globally. FIDO 2.0 emerges as a timely solution, reimagining credential authorization using available technologies.

Legacy credential systems, rooted in the Internet 1.0 era, increasingly expose organisations to sophisticated AI-backed cyber threats. The 15% increase in attacks against Indian organisations, now averaging 2,138 attempts per week, can largely be attributed to these poorly secured credentials. As companies and industries continue to thrive throughout India and the region, security teams benefit from implementing new credential approaches, such as FIDO 2.0 stands from the very implementation of their networks.

Despite CISOs and cybersecurity practitioners’ efforts in network security, advanced authentication implementation, and staff training on cyber hygiene, it still only takes a single breach to bring operations to a halt.

Changing the credentials status quo

Despite diverse authentication methods, the prevalent use of alphanumeric codes for logins continues to compromise organisational security.

Recent years have particularly highlighted these faults in the Asia Pacific region. This has resulted in:

– 31% of global attacks as its digital transformation continues at a rapid clip across sectors.
– The most hit sectors were governments, absorbing the brunt of 22% of the attacks
– 49% of all attacks led to the compromise of sensitive information, with 27% of successful attacks disrupting core organisation operations.

This goes beyond the financial and personal burden put on people as they try to understand if their information is compromised.

In the past, these attacks were successfully conducted by identifying a vulnerability within a system and exploiting it using relevant tactics. However, today companies face two main threats, phishing attacks and device compromise.

Phishing attacks

The Microsoft breach was completely avoidable had they followed the FIDO2 standard, which they offer on their products and even required on their company GitHub.

It speaks volumes about the harm of relying on legacy credential authentications. With the compromise of a single account through successful phishing attempts, hackers were able to put hundreds of organisations at risk– and the problem is scaling.

AI has significantly scaled and refined the accuracy of phishing attacks. While in the past, it involved blasting our poorly-written emails to many users, today’s attacks bring together AI-crafted messaging together with SMS push notifications and other forms of seemingly unthreatening behaviour.
This has lowered the barrier of entry for threat actors, allowing them to wield greater technology without needing to have the technical know-how of how to exploit vulnerabilities. Instead, they can just ask employees to hand over the keys to the kingdom by clicking on a ‘change password’ link, responding to a seemingly harmless text, or putting in credentials to get rid of pesky messages that look just as if they are coming from the company’s IT department.

Once in, the threat actor has full access to whatever the tricked user had– but take note: while within a network, information can be extracted and permissions elevated by curating just the right message with AI once again. This evolution in phishing attacks not only represents a technological shift but also a critical operational risk for organisations.

Implementing FIDO2 removes the risk of a SIM Swap attack, IdP MITM Phishing attacks, Push bombs, OTP MITM attacks, password spraying and lost/reused credentials.

Device compromise

Organisations permitting remote work or personal device use face an additional security layer– unfamiliar devices.

IT operators have always struggled to identify and approve all devices on a network– again relying on usernames, passwords, and perhaps some other alphanumeric authentication technique. The danger lies in the possibility that these two-factor authentication methods may also be compromised alongside user credentials.

Adding to the compilation, single sign-on has grown in popularity, but if a user is compromised, so too are their profiles created across all the tools that they have given access to the single point. Even with examples of organisational approved SSO with a secure environment, no matter how secure those APIs and authentications are, if the front door is still secured with a username, password, and alphanumeric authentication then the risk is still ever-present

Ironically, much of the hardware distributed within organisations already features secure, uncompromisable biometric capabilities. This makes device compromise not just a technical challenge, but a significant operational vulnerability.

FIDO 2.0- Elevating authentication and standards

This failure to evolve login credentials along with other technologies has been acknowledged by Google, Microsoft, Amazon, Apple, and others. To address the security gap and prevent organisations from falling victim to credential attacks, the FIDO alliance created new standards that leverage the existing on-chip security needed to properly authenticate both individual users and the devices they are operating on.

Examples of devices that are already in the workplace today and conform to Fast IDentity Online 2.0 (FIDO) are those that already require some kind of biometric or token authentication. This includes those with facial recognition, fingerprint, or physical device tokens such as a card or NFC wand.

The strength of this system lies in its symmetry between user devices and software authentication. Similar to leading smartphones’ advanced authentication, FIDO 2.0 mandates reciprocal verification by organisations based on established approvals and credentials.

By adding this layer of protection, the username and password combinations that we rely on become only one part of a more complicated authentication process in an organisation’s overall security posture and a significant hurdle to threat actors.
Securing endpoints and the cloud
As phishing attacks continue to target all users, it’s no surprise that the big prize lies in penetrating corporations.

Given the availability of these capabilities on corporate devices (and adaptability for older ones), urgent action by management to adopt these standards is essential to prevent potential multi-million dollar crises.

The integration of FIDO 2.0 standards isn’t just a technological upgrade; it’s a strategic imperative to fortify digital defences in an increasingly interconnected world.

Why is FIDO2 more secure than Username/Password?

While I explored the inherent weakness in using a username/password authentication, FIDO2 relies on both a stronger authentication process.

To begin, each device or hardware token must be individually enrolled to allow FIDO2 authentication – this is done by creating a public/private key pair. In the case of an iPhone paired with a commercial identity provider like MS Entra ID or OKTA, the user interface will walk a user through this enrollment process.

How it works under the hood: The public key portion is saved into the web service and assigned to the user identity. On the user device side, the private key is stored within the phone or laptop secure enclave. Upon user authentication to their enrolled web services, the web service prompts for the user for the “Passkey” (the private key stored within the phone or laptop), the user will then be prompted to unlock the device’s secure enclave allowing the private key to be used to complete the challenge/response part of the authentication process. The private key never leaves the device and is much more secure than a traditional username/password.

Even though usernames and password will be used alongside FIDO2 authentication for sometime into the future, in a FIDO2 implementation they can not be used without the private key challenge/response piece of the authentication process, this means that if the username/password is lost or stolen, it is of little value and can’t alone be used for authentication.

FIDO 2Fido 1