Access codes sent by SMS or authenticator apps can be bypassed by clever phishing. Hardware-based tokens make that harder to do. Credit: Cybrain / Getty Images Every business needs a secure way to collect, manage, and authenticate passwords. Unfortunately, no method is foolproof. Storing passwords in the browser and sending one-time access codes by SMS or authenticator apps can be bypassed by phishing. Password management products are more secure, but they have vulnerabilities as shown by the recent LastPass breach that exposed an encrypted backup of a database of saved passwords. For organizations with high security requirements, that leaves hardware-based login options such as FIDO devices. Why use FIDO devices for authentication? The FIDO (Fast Identity Online) standard is maintained by the FIDO Alliance and aims to reduce reliance on passwords for security. It does so by complementing or replacing them with strong authentication based on public-key cryptography. FIDO includes specs that take advantage of biometric and other hardware-based security measures, either from specialized hardware security gadgets or the biometric features built into most new smartphones and some PCs. That makes FIDO and other physical key or token methods more phishing resistant and harder for attackers to bypass. This is the most complex deployment, and many websites don’t support it. Many password-management programs do support FIDO, however. This makes it easier to consider adding a physical token key as the second authentication process to better protect your accounts. NIST provides an overview of available authentication tokens. Choosing the right type of FIDO device Start your project by investigating which authentication devices can authenticate with the vendors you currently have as well as potential future vendors. One vendor of FIDO devices, Yubico, allows you to review the vendors they support. Your next decision is to determine what type of connectors your organization’s computers and laptops require. We live in a world of multiple USB connections, so you must know if you need USB-A, USB-C, or Lightning connectors. As noted in the instructions regarding vendor setup, plan on deploying not one, but two FIDO keys to ensure you have a backup. Should your only hardware token fail, you will be locked out of your password management program and any other item that depends on it. Tokens can also be used where the need for phishing-resistant multi-factor authentication is needed. By creating a unique key pair for each device and user combination, websites can securely identify and authenticate devices that have been registered with them. The process of logging in is then streamlined, as users only need to prove their identity with a biometric scan rather than entering a password or other security code. All users need to do to complete the login is to either place the token key near the computer or insert it into the USB port. Once you’ve pressed your finger on the device, it provides authentication to the application accordingly. While FIDO and WebAuthn, a web authentication standard that is part of FIDO2, can make online authentication more secure, they do not eliminate all risks. As with any security measure, stay aware of potential threats and take steps to protect yourself online. This includes using strong passwords and being cautious about sharing personal information or clicking on links from unknown sources. Related content how-to Download the SASE and SSE enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what SASE (Secure Access Service Edge) and SSE (Secure Service Edge) can do for their organizations and how t By Neal Weinberg May 13, 2024 1 min Remote Access Security Network Security Enterprise Buyer’s Guides news IntelBroker steals classified data from the Europol website The agency said core operations remain unaffected even as IntelBroker claimed to possess classified, law enforcement data. By Shweta Sharma May 13, 2024 3 mins Data Breach Hacker Groups feature Ridding your network of NTLM The path to eradicating this ancient protocol and security sinkhole won’t be easy, but the time has come for its complete eradication. By David Strom May 13, 2024 8 mins Authentication Windows Security Network Security news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe