Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines The FIDO Alliance, which operates with no smaller mission than to "reduce the world's over-reliance on passwords", has announced the release of new user experience (UX) guidelines aimed at bringing the more technophobic on board. Launched back in 2013 as the Fast Identity Online Alliance, the FIDO Alliance aims to do away with …
Ransomware is the cybercrime du jour. FIDO does not solve that problem. The problem FIDO does solve is not scary enough for people to want take the effort to use it. This applies across the scale at the individual and enterprise levels. For the implementors, SMS is king. In the US banking industry, SMS is good enough for regulators so banks generally offer only SMS as 2-factor whilst it is required by many banks. Other industries use the banking industry as their comparison with most seeing themselves as not needing more security than a bank. The threat landscape would have to change for those viewpoints to change.
Losing a device and thus access seems to be a major concern for many.
Despite the insecurities, with a phone and an SMS 2FA you can lose your phone, get a new one and still have the same number to receive a token and continue to login to your accounts.
Lose a USB 2FA key and you are unable to login is the general thought. Similar to OTP generators when losing/changing phones I guess you can save a seed somewhere but most people are not sure so don't risk it.
People need to know the info and not in market speak.
That requires having multiple devices.
And, of course, it's not just losing a phone. Phone-based authentication also fails when the phone breaks. I've never lost a phone; I've had half a dozen break over the past ten years. Generally it's immediate, unrecoverable failure, like my Asus phone where the touch screen completely stopped responding one day.
And phones are tempting targets for theft.
Dedicated devices such as RSA SecureID have better threat models, but they can still be lost or forgotten.
We know there are many problems with physical-object authentication ("something you have"), because we've been dealing with those for pretty much all of history. That doesn't mean other types of authentication don't have problems, but trying to handwave those problems away while insisting physical-object is superior is not going to be very persuasive to many people.
Passwords are vulnerable to abuse while army is vulnerable to air attack. Remove the vulnerable passwords and we will get a more secure identity security. Remove the vulnerable army and we will get a more secure national defense. Adversaries will be very comfortable in both cases.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
