In April 2020, during the height of the Covid-19 pandemic, the State of New Jersey called for volunteers who knew COBOL, a programming language created more than 60 years ago, to help with their overloaded mainframe systems to handle unemployment claims. In late 2020, despite being the technology capital of the world, California’s Employee Development Department continues (paywall) to wrestle with antiquated systems incapable of keeping up with the demand for services. In 2015, the US Office of Personnel Management (OPM) mainframe was breached, disclosing highly sensitive data of every federal employee.
How did the country that invented some of the most advanced technology in the world get into a situation where antiquated systems continue to be used when vastly superior and cost-effective technologies abound? I believe the answer is simple: Managers responsible for making these decisions did not recognize the difference between sunk costs and the need for systems to deal with future risks.
We are at a similar crossroad today, where another 60-year-old technology – the password – continues to be used despite its vulnerabilities often made known in breaches. Similarly, past investments in single sign-on (SSO) technology are unable to prepare companies for the future. The twin problems posed by passwords and SSO preserve an explosive environment that threatens the security of our information technology infrastructure; the latest example is the recent SolarWinds breach that was amplified by a vulnerability in VMware's SSO technology.
Invented in the late 1980s, SSO aided companies and government agencies by consolidating passwords into a single infrastructure that made it easier for company and agency employees to use multiple applications without having to authenticate to each one individually. Similarly, it helped them revoke employee access to multiple systems in one place without having to revoke them everywhere. SSO systems, while expensive and complex to build and maintain, benefited large enterprises with dozens to hundreds of applications through the 20th century.
The invention of public key infrastructure (PKI) in the mid-1990s had the potential to address this problem and others. However, the complexity and cost of PKI stymied enterprise deployments, thereby costing billions of dollars for projects that did not deliver on their promises. As a result, SSO continued to evolve and grow, all the while perpetuating the use of billions of passwords hidden behind the seductive simplicity of authenticating to just one SSO service.
In my work with the FIDO Alliance, a nonprofit group of more than 200 companies and government agencies, I've seen a new authentication technology capable of addressing the problems of passwords and SSO. This technology presents an open, royalty-free protocol that can eliminate passwords from systems. My 22 years of work with public-key cryptography – including nearly six years with FIDO technology – gives me deep insights into how it works and how it can prove to be a worthy alternative to SSO.
Starting with how it works, one of the biggest changes FIDO brings is the elimination of passwords. This helps eliminate an entire class of attacks on systems – dictionary attacks, rainbow tables, keystroke loggers, and password phishing, stuffing and spraying – as well as the underground market for credentials based on past breaches.
It also can leverage strong security components embedded in most modern computing devices, including the trusted platform module (TPM) on desktops and laptops and the trusted execution environment (TEE) of mobile devices, to protect credentials.
It delivers an industry standard supported by every browser except Internet Explorer, as well as the Windows 10 and Android operating systems (Apple iOS and OS-X systems continue to be works in progress). The industry standard enables this technology to work out of the box without additional hardware components, software drivers, etc.
It also leverages the use of biometrics enabled on modern mobile devices and computers while preserving the user’s privacy because the FIDO protocol does not transmit biometric information to the application. It merely uses biometrics to verify a user's identity and unlocks the device for the legitimate user to authenticate via the FIDO protocol.
Perhaps most importantly, this technology can eliminate the burden of SSO as passwords disappear from applications and systems.
Vulnerabilities Within Systems
Any authentication technology, including FIDO's, will need a composite approach to move away from SSO. FIDO's technology combines the security of biometrics on client devices, cryptographic algorithms that eliminate secrets on the server, embedded hardware elements to protect cryptographic keys, and protocols that preserve users' privacy and eliminate password phishing attacks to deliver an extraordinary cocktail of security benefits that combat multiple vulnerabilities.
Cost And Complexity Of Systems
Companies and government agencies spend an extraordinary amount of time and money coordinating the integration of SSO solutions with applications and third-party multifactor authentication technologies to comply with regulations. These costs disappear when SSO (and its complexity) is eliminated. While FIDO introduces new complexity and costs, given the aforementioned vulnerabilities it eliminates, published research indicates that the quantifiable benefits outweigh FIDO transition costs.
User Productivity And Experience
A new authentication solution could be complex from a security point of view, but as long as it provides a delightful experience to users, the technical complexity isn't a grave concern. FIDO strives for a positive user experience by shielding the complexity with simple acts users are already familiar with on their devices: touching a fingerprint reader, providing a PIN, drawing a pattern on a mobile device, etc.
Enabling FIDO in web and mobile applications requires companies to invest in integrating the technology and rolling out those new applications to their user community. However, FIDO is not an all-or-nothing solution. It can coexist with existing authentication technologies during the transition period and allow companies to manage their transition schedule commensurate with their risk management strategy.
While transitioning to a more secure alternative to passwords and SSO is another technology expense for executives, it is one worth exploring. The alternative – preserving a system that only seems to work – merely kicks the can down the road while stresses accumulate in the system.
About the Author: Arshad Noor is the CTO of StrongKey since 2001. With 34+ years of experience in the information technology sector, he has spent the last 21 years of his career focused on solving data-protection problems using applied cryptography. In 2019, he served as one of 20 members on the California Blockchain Working Group helping to craft recommendations to the State Legislature on how the fifth largest economy in the world should deal with blockchain.