Placeholder Image

字幕列表 影片播放

  • (upbeat music)

  • - Hi, I'm Pamela Dingle, Director of Identity Standards

  • at Microsoft and I'm here today to talk to Andrew Shikiar.

  • He is the Executive Director and CMO at the FIDO Alliance.

  • Andrew, it's really great to have you here.

  • - Thank you, it's very nice to be here.

  • - So tell me what FIDO stands for.

  • - So FIDO stands for Fast IDentity Online

  • and FIDO Alliance is a standards organization

  • that's creating open standards for better,

  • simpler, stronger user authentication.

  • In general, what you find is a number of competitors,

  • in any space or collaborators

  • see the need to work together

  • on a piece of technology

  • that's really core to all their businesses,

  • where it makes more sense to collaborate

  • than try to differentiate.

  • And so when FIDO was formed,

  • there was a data breach challenge which persists today.

  • And what FIDO's founders realized

  • is that the core problem associated with data breaches

  • comes down to user authentication.

  • So you know, a dependence on passwords,

  • a dependence on shared secrets that sit on a server.

  • And so what FIDO is fundamentally trying to do,

  • is change the way people authenticate

  • from one that is server-side shared secrets,

  • to a model where consumers

  • and users can authenticate locally

  • to devices that they use every day.

  • - You talk about asymmetric public-key cryptography.

  • How does FIDO match that super fancy cryptography

  • with something people can use?

  • - There are two main ways of authenticating users, right?

  • So one, the traditional way of passwords

  • or shared secrets, has both usability and security problems.

  • So it's funny when I travel

  • and I talk to people about passwords

  • and I say we're trying to get rid of passwords

  • as part of what we're doing,

  • no one's ever said that's a bad idea, right?

  • I think all of us as consumers and as users,

  • can understand the challenge of passwords.

  • The key thing to understand

  • is that this data sits on the server, right?

  • Anything on a server can be spoofed, it can be hacked,

  • it's susceptible to phishing.

  • The other problem associated with this kind of password

  • is that once they're stolen, they can be reused.

  • There's a massive market out there

  • for used credentials on the dark web

  • and that leads to something we call credential stuffing.

  • The statistics around stuffing are staggering.

  • For ecommerce sites, up to 90% of attempted logins

  • are stuffed logins.

  • Stuffing are at least over 95% of account takeovers.

  • - What exactly is credential stuffing?

  • - So that's when someone goes on the dark web

  • and buys a username-password combination, right?

  • So we hear about these massive data breaches,

  • like the Yahoo data breach for example,

  • and I was one of those 3 billion identities that was stolen.

  • And you know, the damage to me from Yahoo,

  • doesn't really matter, right?

  • At worst they could do

  • is like mismanage my fantasy football team.

  • But the real damage is,

  • if I use that same username, password on my bank

  • or on other sites.

  • And the scary thing is there's around

  • a one to two percent success rate, right?

  • So you're talking about billions

  • of stuffing attempts per day with,

  • say even 1% success rate.

  • That's a massive number of successful logins

  • that that shouldn't be happening.

  • Which is why it's costing US businesses alone

  • over $5 billion a year.

  • - If you use the same password for your bank

  • as you use for anything else,

  • you should go change it right now.

  • - So there's basic password practices,

  • which Microsoft does a good job of articulating

  • and educating people on.

  • Any MFA, right?

  • Any sort of MFA, even SMS OTP,

  • which we'll talk about in a second,

  • eliminates 99% of account takeover.

  • - An MFA is multifactor authentication,

  • and the whole idea is it's not just one thing.

  • If you use a password, you're using a thing you know,

  • that's only one, what we call a factor.

  • With multi-factor authentication,

  • you can use something you know or something you have,

  • you know, your phone for example.

  • And then the other one is something you are,

  • which is biometrics, meaning you're gonna use your face

  • or your thumbprint, stuff like that, right?

  • - So FIDO is solving the problem by creating standards,

  • as we're creating the standards

  • for FIDO authentication, right?

  • So again, it leverages that that big word,

  • asymmetric public-key cryptography.

  • But what that really means is that

  • instead of putting a password on a server,

  • we use a key pair, and it's called a private key,

  • which sits with you on your device and a public key,

  • sits on a server.

  • Unlike a password, the public key has no material value.

  • All right, so some hacker comes in

  • and steals a whole raft of public keys.

  • There's nothing that could be done with those.

  • And now when I go to log in,

  • once I'm set up in the FIDO account, I have to unlock,

  • basically activate the private key on my device

  • and I can do that by a biometric

  • or any sort of way of verifying myself to my device,

  • which I can uniquely do,

  • and then that key pair can be matched.

  • There's a lot of data exchange in that interchange

  • that's unique to the website, unique to the private key,

  • that makes it such that only you,

  • with that device can log into that site.

  • - I mean, this is sort of the "Holy Grail"

  • of authentication.

  • It should be easy for the user and it should be really,

  • really difficult for the hacker.

  • And that of course does not happen with passwords.

  • Passwords tend to be really hard for users

  • and really easy for hackers.

  • - So if you look at this from a business standpoint,

  • you know passwords are a liability, right?

  • So you're basically managing,

  • if you're managing consumer identities,

  • managing tens or hundreds of millions

  • of very valuable pieces of information which are at risk,

  • they're sitting on a server.

  • So that's a major liability.

  • There's also a usability issue for businesses.

  • If people can't remember a password,

  • passwords lead to like half of shopping cart abandonments.

  • So that's money on the table that you're not getting,

  • 'cause people can't log in.

  • For consumers, the risk is identity theft,

  • account takeover, bad charges, all the negative things

  • that happen when your identity is stolen.

  • And then you know, you look at new form factors, right?

  • So I just redid my house,

  • and I have all these smart TVs,

  • I'm trying to log in to smart TVs

  • and remembering my passwords,

  • 'cause it's all password based.

  • I can remember my passwords

  • 'cause I have my own approach to it.

  • But then entering it with remote controls is like

  • the Seventh Realm of Hell.

  • - It's terrible (chuckles).

  • - It's horrible.

  • It's a bad experience, right?

  • So again, trying to simplify the user experience

  • while providing a more secure user experience

  • is really what FIDO's very much focused on.

  • - I mean we've talked about public-key cryptography

  • and all this great sort of thing,

  • but what is it that users actually get to see

  • and do that is so much better than passwords?

  • - Consumers have gotten accustomed to using a biometric

  • on a device every day, right?

  • For at first it was unnatural

  • to unlock your phone with a thumbprint

  • rather than tapping in a passcode.

  • Or also sometimes in enterprise, you'll get a security key.

  • They come in a number of form factors

  • from a USB key to NFC cards, whatever it may be,

  • that allows you to use that as a second factor

  • or as a primary source of logging in as well.

  • - I mean, that sounds great, but I'd love to see one,

  • do we have any here?

  • - As a matter of fact, we do.

  • - Wow!

  • - I travel with a pocket full of security keys

  • out of best practice.

  • These are some examples of these.

  • So this is a USB transport.

  • - Let me see, I will play hand model.

  • - This one actually uses a FIDO certified mark,

  • which I like them doing.

  • So we certify these devices,

  • to show that they truly do inter-operate with each other.

  • So this is a FIDO2 security key.

  • It has both the USB where you just have to touch it,

  • and it also has a biometric scanner too.

  • - So it literally doesn't work

  • unless you scan your fingerprint?

  • - Correct, correct.

  • So it's an even higher level of authentication

  • than just proving presence.

  • - That's great.

  • - This one is a Bluetooth model.

  • It supports Bluetooth and I think NFC.

  • You just click it.

  • - So basically you don't have to plug this in obviously.

  • So you would pair it with your laptop

  • and then it would just magically ask you to touch it.

  • - They ask you to insert or activate your FIDO security key.

  • In this case, you just press that button.

  • That'll communicate via Bluetooth to your laptop

  • or your tablet or your smartphone.

  • Speaking of smart phones, this one has a USB-C,

  • which is good for modern laptops,

  • but also for a lot of Android devices these days,

  • or any device that has USB-C power.

  • Whereas initially, I think it's fair to say,

  • that the security keys are primarily used

  • on the desktop in the enterprise.

  • What we're seeing now is these innovations

  • to bring security keys to mobile phone users

  • and device users as well.

  • - I don't know if you can see this,

  • but there's these little touchpoints on either side.

  • The whole idea is you always have

  • to have a human gesture in FIDO.

  • So it can't just be all computers.

  • There has to be a human element.

  • So you plug it in, and then when you're prompted,

  • you just touch the side and then you're logged in.

  • - And last but not least, this is, I love this one.

  • This could also serve as a employee badge.

  • You have a badge, it gets you in the door,

  • but he can now have that same badge

  • that gets you in the door,

  • it can also be your FIDO security key.

  • So, communicating by NFC or Bluetooth to your laptop

  • as a security key.

  • There's even like a little USB thing

  • that's fixed in there as well.

  • It's an incredibly--

  • - Is this awesome or is this it's awesome?

  • - It's awesome, so you think about perimeter security,

  • logical security, access security,

  • all those things are built into one key.

  • This is a tiny sampling.

  • We have over 600 FIDO certified products on the market.

  • And depending on your use-case

  • or your company's use-case,

  • you can bring a blend of these into the enterprise.

  • - What we love about it at Microsoft is that,

  • we can get out of the business

  • of making authenticators, right?

  • We can build to a standard

  • and then the standard allows

  • anyone who wants to build something to be enabled.

  • So for us we feel like it fosters innovation by being open.

  • - It all comes back to the benefit of standards

  • and collaboration.

  • - Microsoft participates, Google participates,

  • Apple participates, all of these big companies.

  • So how do they work together to make this happen?

  • - Starts with specifications, right?

  • So we have technical specifications

  • that underlie FIDO authentication.

  • The specifications are developed mutually

  • amongst these large companies

  • and then they're ratified and eventually,

  • we test products on top of that

  • through the Inter-op Certification Test.

  • - I know on the part of Microsoft,

  • we feel like FIDO Alliance is incredibly strategic to us,

  • for this very reason that you can't replace passwords

  • with one proprietary solution.

  • If we're gonna change the way

  • that people represent themselves online,

  • we have to do it across the board.

  • It has to work everywhere all the time.

  • And so you should be able to log in on an Apple computer

  • to authenticate to a Microsoft service

  • that then takes you across on Google browser

  • and maybe uses an additional key

  • made by a small manufacturer

  • that happens to make the right kind

  • of security paradigm work for a customer.

  • And certainly for Microsoft,

  • we really believe in getting the world

  • to a place where they can use anything they want,

  • anytime they want and anywhere they want.

  • - Absolutely, and there's a commitment, right?

  • It's not just a financial and a verbal commitment,

  • but there's a product commitment.

  • So last year, in 2019,

  • we saw major platforms start to support FIDO and FIDO2.

  • Right, so led by Microsoft with support of FIDO2

  • in Windows Hello.

  • We know that any windows 10 PC

  • now has FIDO capabilities built in.

  • It's amazing. - So great.

  • - Android, so Google making Android,

  • you know the same thing basically.

  • So any Android 7.0 or later handset,

  • can serve as a FIDO authenticator.

  • So both these instances, that means

  • that when the service provider supports FIDO,

  • they could allow me to authenticate

  • with the platform authenticator,

  • with that biometric on my PC,

  • with that biometric on my Android phone.

  • - Right, it's collaborative security.

  • That's what I love about it.

  • - Absolutely.

  • - We use standards so that there's no advantage either way

  • for anyone, but everyone can participate.

  • - All right, so now we have billions of devices

  • that are FIDO capable.

  • We have every web browser now is FIDO capable.

  • And I think our next challenge as an organization

  • is enabling deployments, right?

  • So best practices for how you deploy to consumers?

  • - I would love to see what this might look like.

  • These are cool.

  • - Yeah, they're cool.

  • - How do they work?

  • - One example would be like Google services,

  • which has long supported FIDO authentication.

  • When I go to login to Google,

  • I'm then prompted to show my security key.

  • And my security key can be any of these things.

  • So if I take this USB key, for example,

  • I just insert this in the USB port

  • and I touch this to prove that I'm physically present

  • with that device.

  • - So I brought my key, this is the one I use every day.

  • So you can see it's a slightly different key

  • from the ones we've seen.

  • So every morning I open my laptop,

  • use my finger on the reader and I go to work.

  • Nothing gets in the way,

  • I don't have to pull anything out of my bag,

  • but the one time maybe my fingerprint doesn't work,

  • I pull out my security key, plug it in

  • and I can still go to work.

  • So it gives you this flexibility.

  • - Absolutely, and it's also good

  • in the event you've changed your laptop.

  • So speaking of fingerprint, on my Pixel phone,

  • I could log into eBay, for example.

  • eBay has enabled FIDO2 at point of login on Android.

  • Instead of asking for a password, now I just my fingerprint.

  • - Right, I think the value proposition for FIDO

  • that's really important for people to understand,

  • is we're talking about mixing

  • and matching all of the vendors, all of the hardware.

  • - And it's not just getting rid of,

  • forcing user to enter a password,

  • what FIDO does is fundamentally change that.

  • It has further security for the user

  • and for the service provider

  • that's actually invisible to the user at this point.

  • And a big part of what FIDO does also

  • is protect user privacy.

  • I think it's very important.

  • All my credentials stay local in my device.

  • Whether it's my biometric or a PIN code, whatever it is,

  • that's never transmitted over the internet.

  • It's not sitting on a server, no one has access to that

  • other than the encrypted key on your device.

  • - So one of the things that Microsoft takes very seriously

  • is diversity and inclusion.

  • And we have a lot of work that we do in our products

  • and around the world on accessibility and inclusion.

  • So how do you feel FIDO Alliance helps move us

  • in that direction?

  • - Yeah, when you move to strong authentication,

  • simplicity is really important, right?

  • Especially for like emerging markets or more at-risk,

  • cohorts of society, many these people don't have a password

  • or they're using a device for the first time.

  • So they need to have systems

  • that allow them to securely access identity credentials

  • and online services,

  • without putting them at risk of being phished.

  • - I think the worldwide availability of this

  • is an advantage as well,

  • because you don't have to buy an expensive solution.

  • You can in fact use things like,

  • the hardware that comes with your laptop.

  • - Right now in India, people use SMS OTP

  • to verify log transactions,

  • which has really poor deliverability rate.

  • Almost 80%, but that's still 20% of transactions

  • have a hard time being consummated.

  • And so we have vendors who are now bringing us

  • into market in India, where instead of doing that,

  • you just use the local PIN code on the device.

  • So it's not a biometric,

  • so you don't need a super high end device.

  • The PIN code leveraging the FIDO model is just as good

  • 'cause it's local and it can't be transmitted or stolen.

  • - All of these different authenticators

  • can evolve to meet different markets too, right?

  • - Absolutely, absolutely.

  • A little closer to home,

  • we look at aging population here in the US

  • or kids in the US, right?

  • They have unique needs also

  • and we need to protect these people

  • from getting taken advantage of.

  • And we think that FIDO is one way

  • that they can very easily learn how to authenticate,

  • without having to take on the risk of passwords

  • or getting phished.

  • - Has there ever been a time

  • where this kind of inclusion has hit you personally?

  • - I have two little girls

  • and they're in an elementary school

  • and I walked them in the first day of school this year

  • and everyone got a Chromebook and they're like okay,

  • go to the wall, and there's your name, there's your device,

  • there's your password on the wall.

  • Is it a huge thing?

  • Not necessarily, but it's teaching bad password hygiene,

  • but also it puts them at risk.

  • It's a tough challenge, right?

  • And so the reason why they have that password thing there

  • is because otherwise the kids will forget it.

  • So this goes to like, what's FIDO?

  • How would FIDO do this?

  • I wouldn't trust her school district to share

  • and store my kids' biometrics, let alone most of their data.

  • But with the FIDO authentication approach,

  • they certainly could actually use a biometric

  • on those devices, which are all biometric equipped

  • and log in that way rather than having to

  • have shared passwords across the classroom.

  • - Well I wanted to ask you about something fun.

  • Something you do for a good time around the house.

  • So, tell me what kinds of books you're reading.

  • - So a book I read recently,

  • which resonated with me strongly,

  • was a book called "A Woman of no Importance."

  • It's a story of a woman by the name of Virginia Hall,

  • in the 1930s.

  • She's an American woman

  • from actually a nice family in Baltimore.

  • She had a thirst for adventure.

  • She went to Europe and really found herself in Europe,

  • then the war was coming.

  • She somehow found herself being at the tip of the spear

  • of the resistance against the Nazis.

  • What she did was so successful

  • and it got to the point

  • where she was the number one most wanted spy,

  • being pursued by the Nazis.

  • Amazing story, and she did all this, mind you, on one leg,

  • not to try to bring us back to FIDO,

  • but all of us inside a FIDO Alliance,

  • I think we have a little missionary thing about us, right?

  • I think I'm going back to the diversity inclusion theme.

  • I think the fact that she was a woman held her back.

  • She actually had to fight all the institutional sexism,

  • but after her service,

  • she never really got the recognition she deserved.

  • - Well, thank you so much for spending your time,

  • talking about what we're working on,

  • and I just wanna say on behalf of Microsoft,

  • that we really enjoy working in the Alliance

  • and it feels like this is a big deal.

  • It feels like we are pushing towards a world

  • where we can actually eliminate passwords.

  • - Well, thank you for having me and thanks to Microsoft

  • for the support of the Alliance.

  • I can say unequivocally

  • that without Microsoft's kind of staunch support of FIDO

  • and everything we're doing,

  • not just from a technical standpoint,

  • but from a marketing and branding standpoint,

  • and really helping educate the world about FIDO.

  • Without that support,

  • I don't think we would be as far along as we are.

  • (upbeat music)

(upbeat music)

字幕與單字

單字即點即查 點擊單字可以查詢單字解釋

B1 中級 美國腔

Inside Identity(Inside Identity: Moving to a passwordless world with the FIDO Alliance)

  • 7 0
    Eric Chen 發佈於 2022 年 07 月 01 日
影片單字