FIDO2 Moves Forward with Passwordless Authentication
FIDO, Finally, Almost: Passwordless authentication is now becoming a possible dream, thanks to the ongoing standards work at the Fast Identity Online (FIDO) Alliance and the collaboration between competitors, such as Microsoft and Google.
Sources: RSA Conference 2018 (upper figure),… Continue reading
Combatting Security Fatigue and Apathy
Security fatigue leads to resignation, causing users to abandon efforts to protect themselves or their organizations.
A new NIST study found that for many users, managing logins and passwords has become too burdensome to do well. Some users… Continue reading
Token Bindings to Gear Up Authentication Assurance
In last year’s “Passwords are Overloaded, Not Dead” I voiced skepticism that security’s oldest construct would be replaced anytime soon. But many in the industry continue working to replace passwords, and while their marketing slogans may… Continue reading
Identity Management: The Times They Are A-Changing
In a very interesting article on New Tools for Modern Identity, Mark Diodati addresses new challenges with user authentication. He argues that adaptive authentication, and mobile biometric authentication are here to stay. I agree and encourage folks to… Continue reading
A Two Factor Authentication Makeover for your Protection
Cybercrime. SpyEye. Zeus. Anonymous. APT1. PRISM. Bullrun. Hackers of every sort are everywhere. As I wrote in “TrustNo One Device (Part 2)” and “Direct Memory Access (Again)” you have no assurance your device isn’t … Continue reading
Russian Billion-Password Hack: Just Another Teachable Moment?
Some greeted the New York Times Russian Hackers Amass Over a Billion Internet Passwords with elation (“Wow – this will help sell our product!“) but seasoned security experts picked the reports apart with cynical ease:
- “My… Continue reading
Back to the Future (of Identity)
Lately the proposals for “identity oneness” are back in force. And for me, deja vu. I’ve been through the year of PKI and so many grand efforts that I long ago came down on Kim Cameron’s side that what we… Continue reading
Net Quake: What to do about Heartbleed?
From Schneier on Security: “Heartbleed is a catastrophic bug in OpenSSL: ‘The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.… Continue reading
Out of the Box Thinking on Password Policies
For all that authentication vendors may proclaim “the death of passwords,” the pesky things aren’t going away. In fact, I don’t think they should. However, I’ll be the first to acknowledge how broken password authentication is in current practice. Sardonically… Continue reading
Federated Identity: Broad or Strong?
Broad deployments of federated identity have arrived in the form of social login. But in 2013 we find federation on the horns of a dilemma; can it be both broad and strong?
Federated identity, especially in the form OAuth… Continue reading