Maintaining data protection through MFA and FIDO2

Amid many data breaches, cyber security is an ever-growing concern. Last year, every second, 10 users’ data was breached, resulting in many organisations seeking to enhance their defensive security posture. Multi- factor authentication and FIDO2 are measures to keep users’ information safe, ensuring cyber criminals will not be able to access any information. Cyber Security Consultant at AC3, Michael O’Keeffe shares his insights into the importance of FIDO2 and multi-factor authentication to better protect organisations.

What is multi-factor authentication (MFA)?

Multi-factor authentication is the process of using more than ‘one’ factor when logging into an application to verify the identity of the user. These factors include passwords, SMS confirmations and app based notifications. O’Keeffe stresses the importance of multi- factor authentication as passwords are no longer effective at preventing attacks. He stated that over the years, attackers have compiled a vast database of common passwords with users recycling the same passwords across all of their services, increasing the risk of a data breach. Without multi-factor authentication, hackers are able to access the account with just a username and password.

What is FIDO2?

Fast ID Online 2 (FIDO2) enables users to quickly access the service through knowledge-based credentialing. O’Keeffe uses the example of wanting to access an application, an authentication prompt might allow the user to more quickly and securely sign in using facial identification. The devices biometrics sensors process this information, authorising the correct device is being used and logs the user into the application. FIDO2 is an alliance comprising key industry players like Google, Microsoft, Amazon, Apple and many more, entailing an authentication structure that is interpretable and consistent across all platforms.

The difference between FIDO and FIDO2?

Fast ID Online (FIDO) was founded in 2013 by industry leaders to help bring about more secure, interoperable authentication. It created standards that would help reduce the world’s reliance on passwords. The main practical difference between the two is that FIDO2 implements additional technical advances that make it more viable to remove passwords from authentication processes entirely. O’Keeffe stresses this is because of sharing password folders or writing passwords on a notepad, which links to bad password practices that can risk the organisation of being breached.

Which organisations should be engaging with FIDO2?

FIDO2 is commonly used across many organisations today - often without their knowledge. O’Keeffe emphasises that while all organisations using common tools including Microsoft, AWS, and Google Cloud technologies already use FIDO2 compatible systems, it is up to each organisation to take advantage of the features of the new standard to maximise their protection against adversaries. O’Keeffe highlights that many organisations within risk- averse sectors, including government, finance and insurance institutions already have taken advantage of new secure options for authentication, but small and medium sized business (20-300 employees) often have a more relaxed attitude to implementing updated security standards that is only reviewed after they have already been breached.