Access codes sent by SMS or authenticator apps can be bypassed by clever phishing. Hardware-based tokens make that harder to do. Credit: Cybrain / Getty Images Every business needs a secure way to collect, manage, and authenticate passwords. Unfortunately, no method is foolproof. Storing passwords in the browser and sending one-time access codes by SMS or authenticator apps can be bypassed by phishing. Password management products are more secure, but they have vulnerabilities as shown by the recent LastPass breach that exposed an encrypted backup of a database of saved passwords. For organizations with high security requirements, that leaves hardware-based login options such as FIDO devices. Why use FIDO devices for authentication? The FIDO (Fast Identity Online) standard is maintained by the FIDO Alliance and aims to reduce reliance on passwords for security. It does so by complementing or replacing them with strong authentication based on public-key cryptography. FIDO includes specs that take advantage of biometric and other hardware-based security measures, either from specialized hardware security gadgets or the biometric features built into most new smartphones and some PCs. That makes FIDO and other physical key or token methods more phishing resistant and harder for attackers to bypass. This is the most complex deployment, and many websites don’t support it. Many password-management programs do support FIDO, however. This makes it easier to consider adding a physical token key as the second authentication process to better protect your accounts. NIST provides an overview of available authentication tokens. Choosing the right type of FIDO device Start your project by investigating which authentication devices can authenticate with the vendors you currently have as well as potential future vendors. One vendor of FIDO devices, Yubico, allows you to review the vendors they support. Your next decision is to determine what type of connectors your organization’s computers and laptops require. We live in a world of multiple USB connections, so you must know if you need USB-A, USB-C, or Lightning connectors. As noted in the instructions regarding vendor setup, plan on deploying not one, but two FIDO keys to ensure you have a backup. Should your only hardware token fail, you will be locked out of your password management program and any other item that depends on it. Tokens can also be used where the need for phishing-resistant multi-factor authentication is needed. By creating a unique key pair for each device and user combination, websites can securely identify and authenticate devices that have been registered with them. The process of logging in is then streamlined, as users only need to prove their identity with a biometric scan rather than entering a password or other security code. All users need to do to complete the login is to either place the token key near the computer or insert it into the USB port. Once you’ve pressed your finger on the device, it provides authentication to the application accordingly. While FIDO and WebAuthn, a web authentication standard that is part of FIDO2, can make online authentication more secure, they do not eliminate all risks. As with any security measure, stay aware of potential threats and take steps to protect yourself online. This includes using strong passwords and being cautious about sharing personal information or clicking on links from unknown sources. Related content news Repeated cyberattacks on court systems raise security concerns for the US Court systems form crucial national infrastructure and therefore a nation-state angle cannot be completely ruled out in the recent surge in attacks. By Shweta Sharma May 29, 2024 9 mins Ransomware Cyberattacks opinion Cybersecurity at a crossroads: Time to shift to an architectural approach The need for greater scale, intelligence, and automation is driving massive change in security operations and the SIEM market. By Jon Oltsik May 29, 2024 8 mins Security Operations Center Security Practices Security Software news US healthcare agency to invest $50M in threat detection tools that predict attackers’ next moves The Advanced Research Projects Agency for Health is seeking proposals that go beyond detecting and analyzing healthcare attacks to trying to determine what attackers will try next. By Evan Schuman May 28, 2024 5 mins Government IT Healthcare Industry Threat and Vulnerability Management news Data leak exposes personal data of Indian military and police Data included facial scans, fingerprints, identifying marks such as tattoos or scars, and documents such as birth certificates and employment records. By Prasanth Aby Thomas May 28, 2024 4 mins Data Breach PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe