FIDO Alliance Specifications Miss the ‘Keys to the IT Kingdom’: Privileged Accounts
There’s been a lot of news about the recent FIDO (Fast Identity Online) Alliance announcement signaling the death of passwords and a boon for stemming the rash of massive data breaches. Will it really? While a great step forward, it completely misses that there’s a massive difference between consumer passwords and privileged account passwords or credentials, and how to weigh the value of protecting each.
The simple fact is that attackers covet privileged access (you can read a quick post on why here). Privileged accounts are exploited in almost every targeted cyber attack. Threat investigators say that between 80-100 percent of all serious security incidents they’ve investigated featured the “signature” of compromised and exploited privileged accounts in the attack process. For some reason, FIDO completely omits this in their work …
So what is FIDO doing? Backed by industry heavyweights including Microsoft, Google, PayPal, Bank of America and MasterCard, FIDO issued the first fully completed drafts of two specifications – the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) – aimed at building a foundation for secure online communications without using passwords. In the world of safe online consumer passwords, these specifications are a great step forward.
However, as an industry we need a clear delineation between personal passwords and those tied to organizational assets. While it is reasonable to allow users to manage their own personal credentials, no employee or contractor should ever be put into the position to create, manage or change passwords for privileged accounts. Password reuse, template-based brute force susceptible passwords, and many other vulnerabilities, all arise from policies that allow employees to manage these critical asset passwords. These need to be managed by the organization and handled in a completely different manner than personal passwords.
Will FIDO be a boon for stemming the rash of massive data breaches? No. Until the ‘privileged account problem’ is solved, breaches will continue.
Organizations need a better solution to protect key passwords – such as those for privileged accounts that control access to their most sensitive assets. An automated password management tool is essential for making privileged account credentials as secure as possible. Once deployed, the level of complexity and randomness of managed passwords becomes much higher than if left to individual choice, while eliminating the memory problem. This also makes it possible to protect the passwords from malware that collects passwords through key logging, screen-capture and other means of intercepting passwords.
For a much more in-depth view of what it takes to solve the privileged account problem, check out our solution.