Access codes sent by SMS or authenticator apps can be bypassed by clever phishing. Hardware-based tokens make that harder to do. Credit: Cybrain / Getty Images Every business needs a secure way to collect, manage, and authenticate passwords. Unfortunately, no method is foolproof. Storing passwords in the browser and sending one-time access codes by SMS or authenticator apps can be bypassed by phishing. Password management products are more secure, but they have vulnerabilities as shown by the recent LastPass breach that exposed an encrypted backup of a database of saved passwords. For organizations with high security requirements, that leaves hardware-based login options such as FIDO devices. Why use FIDO devices for authentication? The FIDO (Fast Identity Online) standard is maintained by the FIDO Alliance and aims to reduce reliance on passwords for security. It does so by complementing or replacing them with strong authentication based on public-key cryptography. FIDO includes specs that take advantage of biometric and other hardware-based security measures, either from specialized hardware security gadgets or the biometric features built into most new smartphones and some PCs. That makes FIDO and other physical key or token methods more phishing resistant and harder for attackers to bypass. This is the most complex deployment, and many websites don’t support it. Many password-management programs do support FIDO, however. This makes it easier to consider adding a physical token key as the second authentication process to better protect your accounts. NIST provides an overview of available authentication tokens. Choosing the right type of FIDO device Start your project by investigating which authentication devices can authenticate with the vendors you currently have as well as potential future vendors. One vendor of FIDO devices, Yubico, allows you to review the vendors they support. Your next decision is to determine what type of connectors your organization’s computers and laptops require. We live in a world of multiple USB connections, so you must know if you need USB-A, USB-C, or Lightning connectors. As noted in the instructions regarding vendor setup, plan on deploying not one, but two FIDO keys to ensure you have a backup. Should your only hardware token fail, you will be locked out of your password management program and any other item that depends on it. Tokens can also be used where the need for phishing-resistant multi-factor authentication is needed. By creating a unique key pair for each device and user combination, websites can securely identify and authenticate devices that have been registered with them. The process of logging in is then streamlined, as users only need to prove their identity with a biometric scan rather than entering a password or other security code. All users need to do to complete the login is to either place the token key near the computer or insert it into the USB port. Once you’ve pressed your finger on the device, it provides authentication to the application accordingly. While FIDO and WebAuthn, a web authentication standard that is part of FIDO2, can make online authentication more secure, they do not eliminate all risks. As with any security measure, stay aware of potential threats and take steps to protect yourself online. This includes using strong passwords and being cautious about sharing personal information or clicking on links from unknown sources. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe