Organizations Need Stronger Authentication—Is FIDO The Answer?
Expert Insights interviews Will LaSala, Field CTO at OneSpan.
Traditional methods of authentication, such as passwords and SMS OTPs, simply aren’t good enough, Will LaSala, Field CTO at OneSpan, tells Expert Insights. They’re clunky, difficult to manage, and insecure—and businesses should switch to FIDO as a stronger alternative.
The Big Picture: 74% of all successful breaches involve the human element—that typically means they involve social engineering, stolen credentials, or privilege misuse. But clunky user authentication processes mean that less than half of teams are using MFA controls that can protect against account compromise.
Driving The Issue: The main challenges that organizations face when it comes to deploying authentication solutions are usability and security, says LaSala.
- “We’re still using things like static passwords, SMS authentication, and knowledge-based questions and answers. Those are all very insecure methods.”
- “Static passwords are often super complex; you need exclamation points, special characters, letters, and numbers, and it needs to be 15 characters long. This leads to a really bad user experience. With SMS, the SMS comes through a network that’s insecure; it isn’t encrypted, and that means that anyone can read it and can steal it without you even knowing.”
- “What also often gets overlooked is the cost of these solutions—not just how much the authentication solution costs to purchase, but also the cost of educating the end user on how to use it, getting the help desk support in place, and making certain that users understand where they need to go in case of other problems. For example, if a user can’t access their phone anymore, how do you allow that user to still authenticate?”
Where Is Identity Security Headed? According to LaSala, the answer to secure, user-friendly identity security lies in FIDO technologies.
- “FIDO is the next generation of authentication solutions,” LaSala says. “The technology allows for really strong authentication by allowing the user to manage their own authentication; the device itself creates the credentials that are used for your different applications. It’s not the same credentials for every single site, but they’re all on the same device, so you don’t have to carry around multiple devices and you don’t need to use different types of authentication for all these different locations.”
FIDO can support multiple use cases, LaSala says. While its current focus is mainly on authenticating login requests, in the future we can expect it to authenticate transactions such as making payments and insurance claims, accessing medical histories, and more.
- “We’re excited to see how organizations embrace [FIDO] and the different applications that this will open up. For example, organizations tend to consider the risk to deploy an application with certain features and functions, and oftentimes they don’t allow risky functions because they’re worried about attacks. FIDO and strong authentication allow businesses to deploy these riskier transactions, so that they can do more business with their customers.”
The Bottom Line: “FIDO technology will make the next generation of authentication and transaction security much easier for users.”
Final Advice: LaSala’s advice for businesses looking to implement a FIDO-based authentication solution is to prioritize educating end users on why they need strong authentication.
- “You should be educating your end users on what to do when they’re using the application. I’ve seen many solutions that haven’t worked for customers because they simply rolled it out and said ‘OK, here you go.’ You have to educate your users on what you’re doing, what this means to them, how secure this is, and really what security means in general for them.”
🎙️Listen to our full conversation with Will DeSala on the Expert Insights Podcast.
About Expert Insights
Expert Insights saves you time and hassle by rigorously analyzing cybersecurity solutions and cutting through the hype to deliver clear, actionable shortlists.