Access codes sent by SMS or authenticator apps can be bypassed by clever phishing. Hardware-based tokens make that harder to do. Credit: Cybrain / Getty Images Every business needs a secure way to collect, manage, and authenticate passwords. Unfortunately, no method is foolproof. Storing passwords in the browser and sending one-time access codes by SMS or authenticator apps can be bypassed by phishing. Password management products are more secure, but they have vulnerabilities as shown by the recent LastPass breach that exposed an encrypted backup of a database of saved passwords. For organizations with high security requirements, that leaves hardware-based login options such as FIDO devices. Why use FIDO devices for authentication? The FIDO (Fast Identity Online) standard is maintained by the FIDO Alliance and aims to reduce reliance on passwords for security. It does so by complementing or replacing them with strong authentication based on public-key cryptography. FIDO includes specs that take advantage of biometric and other hardware-based security measures, either from specialized hardware security gadgets or the biometric features built into most new smartphones and some PCs. That makes FIDO and other physical key or token methods more phishing resistant and harder for attackers to bypass. This is the most complex deployment, and many websites don’t support it. Many password-management programs do support FIDO, however. This makes it easier to consider adding a physical token key as the second authentication process to better protect your accounts. NIST provides an overview of available authentication tokens. Choosing the right type of FIDO device Start your project by investigating which authentication devices can authenticate with the vendors you currently have as well as potential future vendors. One vendor of FIDO devices, Yubico, allows you to review the vendors they support. Your next decision is to determine what type of connectors your organization’s computers and laptops require. We live in a world of multiple USB connections, so you must know if you need USB-A, USB-C, or Lightning connectors. As noted in the instructions regarding vendor setup, plan on deploying not one, but two FIDO keys to ensure you have a backup. Should your only hardware token fail, you will be locked out of your password management program and any other item that depends on it. Tokens can also be used where the need for phishing-resistant multi-factor authentication is needed. By creating a unique key pair for each device and user combination, websites can securely identify and authenticate devices that have been registered with them. The process of logging in is then streamlined, as users only need to prove their identity with a biometric scan rather than entering a password or other security code. All users need to do to complete the login is to either place the token key near the computer or insert it into the USB port. Once you’ve pressed your finger on the device, it provides authentication to the application accordingly. While FIDO and WebAuthn, a web authentication standard that is part of FIDO2, can make online authentication more secure, they do not eliminate all risks. As with any security measure, stay aware of potential threats and take steps to protect yourself online. This includes using strong passwords and being cautious about sharing personal information or clicking on links from unknown sources. Related content feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers opinion Navigating personal liability: post data-breach recommendations for CISOs CISOs can avoid being liable for data breaches by following legal advice, communicating effectively with internal and external stakeholders, and demonstrating commitment to avoid future incidents. By Daniel B. Garrie and Richard A Kramer Apr 29, 2024 8 mins CSO and CISO Data Breach Legal news 2024 CSO30 ASEAN Awards: Call for nominations By Xiou Ann Lim Apr 29, 2024 2 mins Security feature The biggest data breach fines, penalties, and settlements so far Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. By Shweta Sharma and Michael Hill Apr 26, 2024 16 mins Data Breach Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe