US commission whistles to FIDO: Help end ID-based hacks by 2021

A White House commission on improving cybersecurity has come up with a list of recommendations for US president-elect Donald Trump’s administration – including a target for no big hacks to involve identity-based compromises.

The US Commission on Enhancing National Cybersecurity has identified 16 key recommendations on security and growing the digital economy.

The report (pdf, 100 pages) lays out an ambitious goal that by 2021 there should be no major breaches in which identity – especially the use of passwords – is the primary vector of attack.

This goal will require the development and broad adoption of improved identity authentication technologies.

The commission name-checked the Fast IDentity Online (FIDO) Alliance as an organisation that can help in achieving this goal: “Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance,” it said.

In a blog post, the FIDO Alliance outlined how the US government achieve its goal to move beyond passwords.

Brett McDowell, executive director of the FIDO Alliance, said: “Through continued partnership between industry and government – and by following the Commission’s recommendations around identity and authentication – I am confident the new US administration, with the help of global consortia like the FIDO Alliance, can make meaningful progress toward that five-year goal of eliminating identity-related data breaches.”

“The commission has recognized that solving the password problem and closing off identity as an easily exploited vector of attack is a clear priority,” he added.

The FIDO Alliance has more than 250 members including device manufacturers, banks, payment card networks, several governments and dozens of security and biometrics vendors. Its main goal is to push simpler, stronger authentication.

FIDO’s work includes drafting specifications for simpler, stronger authentication experiences that reduce reliance on passwords and protect people from phishing and the misuse of login credentials exposed as the result of data breaches. Microsoft, Google, PayPal and the Bank of America are all part of the alliance.

Last month the UK government unveiled a national cybersecurity strategy that similarly charted a course towards moving beyonds passwords for online authentication, as previously reported. “A common theme in both countries has been the need to balance security with usability, privacy and interoperability,” FIDO’s McDowell concluded.

George Avetisov, chief exec and co-founder of biometric technology firm HYPR, agreed that authentication needs to be at the top of the list of the new President's actions to improve overall cybersecurity.

The rapid adoption of technologies like "selfie pay" have shown that there is an urgent need to shift away from passwords and over to “easy to use” identity solutions, he added.

PKWARE CTO Joe Sturonas noted the absence of much description about encryption in the lengthy report.

“It’s notable that the word encryption appears only twice across the 100 pages of the commission on enhancing national cybersecurity," Sturonas said. "For a paper that talks specifically about the NIST cybersecurity Framework and IoT (there are 52 mentions of IoT), it seems as though encryption should have come up a little more.

"For an Administration that presided over the OPM breach, it might stand to reason that encryption of sensitive data might have taken a more prominent role in the recommendations for the next Administration. Considering how a lack of encryption of data itself has been a major point of vulnerability in every recent breach that has occurred, it is concerning that the commission on enhancing national cybersecurity has not emphasized encryption in their recommendations,” he added.

Open-source standards and specifications developed by the Fast Identity Online (FIDO) Alliance will allow for the best and most secure available experience online experience, according to HYPR. ®