The impact of open security standards on user experience
User authentication is a critical security action for all organisations providing access to data and services in the modern world.
Starting first with the broad adoption of the FIDO Universal Second Factor (U2F) standard, followed by FIDO2, and now Web Authentication (WebAuthn), these open security standards bring together new and important security capabilities for authentication, while reducing cost for the modern web. What impact do the open security standards have on the user experience and why should we even care about them?
Standards and security
Open standards establish protocols and building blocks that can help make applications more functional and interoperable so that every user has a consistent experience across the board. Take the seatbelt, for example. The three-point seatbelt was invented by Volvo, but Volvo contributed it as a standard so that any auto manufacturer could also adopt and use this same technology. Today, we have three-point seat belts in every single car and they all work the exact same way so as users, we know what to expect and how to operate them.
The same concept of the seatbelt applies in many other industries as well. For example, the reason you can read emails is because of a standard that was originally called USASCII that defined which bit patterns made which characters. The reason that we can communicate via mobile phones is because of the GSMA cellular standard. The list goes on, but internet security is no exception.
The humble password is a decade-old example of an open standard that is used widely across the internet that was initially supposed to fix authentication but did not provide adequate security. New open standards are needed because passwords have become a source of significant problems. Users continue to choose weak or simple-to-guess passwords and reuse the same passwords on multiple services.
The real key is that open standards are implemented reliably and consistently to create efficient and trusted conditions through economies of scale that make it possible to implement secure systems. Without open standards, security evaporates.
What about WebAuthn?
In early 2019, Web Authentication, or WebAuthn, became an official World Wide Web Consortium (W3C) standard. The specification allows any service, including banks, email providers or online gaming services, to request an authentication token that the authenticator, including mobile apps, hardware tokens or facial recognition, can provide.
By separating the authentication step from service access, the WebAuthn standard gives users access to a broad range of potential authenticators, most of which do not require passwords. WebAuthn is currently supported in Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers, as well as Windows 10, iOS and Android platforms.
Sites that support WebAuthn include Google, Dropbox, GitHub, Okta, Twitter and Microsoft. Google last year rolled out an update so people with iPhones could use WebAuthn with more types of security keys as the second factor to sign into a Google account.
MFA, the norm?
Since the start of the pandemic, remote working has become the new norm, forcing organisations to increasingly rely on accessing business services and data through the internet.
The sudden shift to remote work pushed credential theft to the top of the cyber attackers’ focus. This meant that organisations needed to introduce and rely heavily on multi-factor authentication to re-establish trust with their users who were remotely connecting to the corporate network and assets. If the only authentication is a password, they are not protected against the numerous cyber attacks available, including credential stuffing, where bad actors try commonly available stolen usernames and passwords against online services.
The Australian Cyber Security Centre says that our national security agencies receive one report of cybercrime almost every 10 minutes, and many of those attacks are perpetrated using stolen usernames and passwords to access online services.
Adding a second factor is a game changer. Even one of the weakest forms of two-factor authentication, which is two-step verification through SMS text messages, is better than nothing. However, it pales in comparison to other MFA methods, like security keys, that can stop 100% of all targeted attacks, according to a Google security study.
With the significant rise in cyber attacks now top of mind for many organisations, now really is the time to be implementing the open security standards, because it is no longer a matter of if, but when will an attack occur?
Impact on user experience
Generally, the user only has an interest in getting their work done or checking out their social media pages; security is a secondary concern until something bad happens.
The industry and the FIDO Alliance, along with W3C, have focused these modern open authentication standards to be built with ease of use in mind. There is no sense in implementing harder-to-use security standards when the target audience will just find a way around them. Defining this open standard has realised a simpler user experience, reduced cost of ownership and strong security to minimise adoption challenges.
The user experience must be easier than what is in use — a PIN (similar to a credit card), a biometric or a touch, alongside a secure external hardware device (security key) will ease the current pain felt by users struggling to keep up with ever-increasing demands for password complexity and differing methods of getting access to their daily online activities.
Throughout 2021, companies and their security teams should take extra steps to protect every user with multi-factor authentication, which will eliminate most of the threats to their cloud services and virtual infrastructures.
Ultimately, open standards have benefits for user experience, identity and authentication, and provide stronger security. Our belief is that open security standards are actually more secure, not less than the closed proprietary ones, combined with the ease of use and convenience, which makes them a win-win for users and their organisations.
The Attorney-General's Department will recommend that the ACSC's Essential Eight threat...
Enhancing AI-driven solutions with machine learning and augmented intelligence could help CISOs...
As organisations increasingly rely on user data and employees access sensitive information from...