Achieving Passwordless Nirvana with FIDO
Key Points
- The current landscape is plagued by countless passwords, leading to forgetfulness, weak security practices, and user fatigue.
- Multi‑Factor Authentication (MFA) improves security by combining “something you know,” “something you have,” and “something you are,” though it may still rely on hidden passwords behind the scenes.
- The emerging FIDO (Fast IDentity Online) standard eliminates passwords altogether, enabling seamless, password‑free authentication across browsers and services.
- Combining MFA with FIDO can achieve the “password nirvana” where users authenticate via devices or biometrics without ever exposing or managing a password.
- The episode includes a bonus “Personal Disaster Recovery” quiz to reinforce understanding of these concepts.
Sections
- Towards Passwordless Authentication Nirvana - The hosts discuss the chaos of managing numerous passwords, introduce multi‑factor authentication as a bridge, and explore achieving a password‑free “nirvana” while teasing a personal disaster‑recovery quiz.
- FIDO Standards and Device Loss Recovery - The conversation outlines how the FIDO authentication standard works across phones, USB keys, and smart cards, then shifts to personal disaster recovery tactics for handling the loss of a FIDO-enabled device such as a mobile phone.
- Ensuring Reliable Phone Backups - The speaker warns that backups can become corrupted, stresses the importance of promptly installing software updates for security, and advises regularly testing backups by restoring them, particularly when switching to a new phone.
- Paranoid Phone Security Strategies - The speaker shares personal security tips—adding a carrier PIN to block account‑takeover attacks, noting a lack of a device lock, and recommending a separate travel phone as a backup for lost high‑value devices.
Full Transcript
# Achieving Passwordless Nirvana with FIDO **Source:** [https://www.youtube.com/watch?v=iU7frYhy35E](https://www.youtube.com/watch?v=iU7frYhy35E) **Duration:** 00:11:28 ## Summary - The current landscape is plagued by countless passwords, leading to forgetfulness, weak security practices, and user fatigue. - Multi‑Factor Authentication (MFA) improves security by combining “something you know,” “something you have,” and “something you are,” though it may still rely on hidden passwords behind the scenes. - The emerging FIDO (Fast IDentity Online) standard eliminates passwords altogether, enabling seamless, password‑free authentication across browsers and services. - Combining MFA with FIDO can achieve the “password nirvana” where users authenticate via devices or biometrics without ever exposing or managing a password. - The episode includes a bonus “Personal Disaster Recovery” quiz to reinforce understanding of these concepts. ## Sections - [00:00:00](https://www.youtube.com/watch?v=iU7frYhy35E&t=0s) **Towards Passwordless Authentication Nirvana** - The hosts discuss the chaos of managing numerous passwords, introduce multi‑factor authentication as a bridge, and explore achieving a password‑free “nirvana” while teasing a personal disaster‑recovery quiz. - [00:03:09](https://www.youtube.com/watch?v=iU7frYhy35E&t=189s) **FIDO Standards and Device Loss Recovery** - The conversation outlines how the FIDO authentication standard works across phones, USB keys, and smart cards, then shifts to personal disaster recovery tactics for handling the loss of a FIDO-enabled device such as a mobile phone. - [00:06:18](https://www.youtube.com/watch?v=iU7frYhy35E&t=378s) **Ensuring Reliable Phone Backups** - The speaker warns that backups can become corrupted, stresses the importance of promptly installing software updates for security, and advises regularly testing backups by restoring them, particularly when switching to a new phone. - [00:09:23](https://www.youtube.com/watch?v=iU7frYhy35E&t=563s) **Paranoid Phone Security Strategies** - The speaker shares personal security tips—adding a carrier PIN to block account‑takeover attacks, noting a lack of a device lock, and recommending a separate travel phone as a backup for lost high‑value devices. ## Full Transcript
Welcome to Tech Talk!
Today's topic is passwordless authentication.
I'm joined by Jeff the Security Guy.
A couple of your videos brought us to this topic where you talked about IAM, or Identity Access Management,
and how that applies to rules for passwords -- as well as MFA, Multi-Factor Authentication.
I'd like to get into it a little bit closer about what is-- something you teased us with --the "password nirvana", you called it.
No password required!
No password.
Good.
But before we get there, I want to show that we're having a bonus feature for this one.
It's called "Personal Disaster Recovery".
I've had more than a few of those.
Sorry to hear that.
It's going to be a quiz where you have a seven-- eight choices and we'll see how you do.
All right.
So how can we get to that passwordless nirvana?
Yeah, well, if you think about where we are today, we'll kind of start at the bottom.
And most people have a password.
In fact, they've got lots of passwords that they have to deal with.
And that's a problem because the more of these you have, the more you're likely to forget them, the more you're likely to trivialize them.
It's just a mess.
Who doesn't have like 50 of them?
I know that I do.
Exactly. At least. At least-- that would be a small number.
So what I talked about in this video was using something that would be stronger than passwords, multi-factor authentication.
And with multi-factor authentication-- now, instead of relying just on something I know, I'm relying on something I have,
and something I am, or some combination of those different things.
Now, in those systems, there may in fact still be a password under the covers that's not necessarily exposed to you.
So you might unlock the app with your face, looking at your phone and using the biometric reader.
And the phone itself-- being something you have
--so that's two factors that I'm using, but the system may actually plug a password in.
So the password is not exposed to you directly, but it still exists.
Well, the next turn of the crank, or think of this in an evolutionary step,
would be a standard that is taking hold these days called FIDO.
FIDO? Okay, great, I assume that is not what I'm thinking.
It's not what you're thinking.
This is not your pet.
This is a Fast IDentity Online standard.
And what it does is, it actually removes the need for passwords in the first place.
Now, what you could do is you could use multi-factor authentication in combination with FIDO
and then your browser, the websites can all communicate to each other without passwords at all.
Let me back up just for a second, because when I was coming into work yesterday, I counted how many times I had to log in.
Like there were seven times with Box and email, etc., etc.
I had to provide a log in and my password.
I understand with MFA that's going to cause a bunch of challenges.
How does that eliminate those challenges?
So what it's doing is, FIDO has --we won't go into the details in this video
--but there are protocol that exchanges different proofs as to who you are.
So the website that's enabled for FIDO, and not all are, but we're seeing them start to more and more become the case.
They can communicate with your browser and they exchange secrets and tokens and things like that
that happened behind the scenes without prompting you.
But I'm not quite sure I'm following here.
Is this a standard or a device?
It is a standard.
And many devices then can be FIDO-compliant.
So you could use different types of devices like your phone, or like a particular flash drive
that you stick into your laptop-- a different type of something you have.
Or like a smart card that we use for getting into the building?
Absolutely.
So there's a lot of different types of devices that FIDO would be able to support in that.
Well, that's great,
but now it brings me to the PDR or the "Personal Disaster Recovery" [quiz].
And I've had to deal with some disasters because I'm the I/T support back at our house.
And so what I wanted to do is provide you with a list of potential things to avoid the problem where -- what if I lose that device?
To demonstrate that point, you have a cell phone, right?
Sure, sure.
So here's your phone.
You travel a lot. [Jeff] A lot.
So imagine that Jeff is traveling and he loses his phone, either at the airport, or worse,
loses it somewhere he's not going to be returning back to.
What is it you do on that travel?
How do you recover from that?
Well, the first thing I do, after I stop crying, is I start trying to figure out how I can recover the device.
So maybe find another device, buy another device, if I know what's truly been lost.
And then I start trying to recover the data.
The device itself can be fairly easily replaceable at some cost, but the data is the really critical part.
And for using that as part of our authentication scheme, then that becomes a linchpin that everything else is relying on.
And that brings me then to my main point-- and I want you to take the PDR Quiz.
There are eight questions and you get checkmarks.
If you get four or more, that's considered a pass.
If you get less than four, then you maybe have some security problems.
And if you get eight, you get the "Golden Beanie".
So here we go.
So the first one is, is-- and this one, I think you alluded to --is make a backup.
And I know that sounds simple.
And a lot of people, they back up, if they do, to a cloud.
Is that what you do, I think?
Yeah, absolutely.
I would definitely backup to a cloud, because that way you don't have to be in any specific location.
You can be anywhere and pull the data back down and restore from the cloud.
But I would argue that you also need to backup to some sort of hard drive, device, or laptop -- something like that.
And the reason is, is that if you want to get to the cloud, imagine if you're pulling down multi gigabytes of your favorite photos.
That is literally going to take hours.
Plus, there's another thing is, is that if you have a local backup, you can have revisions.
Absolutely.
In the cloud, you don't have them.
Yeah. And we in the security space refer to ourselves as "belt and suspenders".
So we don't ever rely on any one thing to keep it all together.
So if the cloud failed, or if the local backup failed, I have backups for my backups.
In fact, I've known people who have had a hard drive fail,
and then they found out that their backup, which they've been doing religiously for years, in fact, was corrupted.
So it does really happen.
The next one on the list.
Oh, and you get a checkmark.
Yeah, yeah, I definitely do that.
Awesome. Great.
The next is, is that do you update your software?
Absolutely.
This one's really critical because what happens in most of those software updates that you see
that may be waiting on your phone and you haven't applied yet, there's probably security fixes in there as well.
And that means the bad guys know how to exploit your phone and you haven't put in the things to block it, if you haven't applied those.
It's practically a race condition then.
It really is.
And it's a question of do you apply first the patch, or do the bad guys get to your phone and exploit it first?
Fair enough.
So you get a checkmark.
I absolutely do this.
Now, this one, maybe not so.
We'll see.
And that is, do you actually test your backup?
Sort of. Could be better. Could be better.
But I do test it from time-to-time.
And the best-- the one test that I know, I end up running on a fairly regular basis, whenever I get a new phone.
If I upgrade at least every two years, then I restore from that cloud backup, for sure.
And that's actually the test that I say that you should give a try is, if you upgrade your phone
or if you have someone else who's upgrading their phone, try restoring from your backup onto their phone to make sure it actually works.
Yeah.
And the next one on the list is recovery.
Now, this is the thing, especially for like emails.
You have an email which is using two factor authentication and you have to authenticate to that.
You've lost your device.
Well, if you have a recovery email, or recovery phone number, you have a way of recovering from that situation.
So there is a really good...
It's really important to have multiple sources that have designated,
either multiple phone numbers for you, maybe pick another family member, or close friend that you can trust.
Another email address. Have some backup email addresses yourself.
But yeah, definitely you don't want to have your recovery just be one option.
I think you called that an "out-of-band" sort of situation,
where you have something that is not dependent on that particular device that you can rely on.
And so really closely related to that is backup codes.
And this one might not be quite so obvious.
A backup code for your email says I'm going to generate a bunch of random sort of passwords, which are one-time use only.
And they bypass all the MFA checks.
Those are really helpful if you don't have the device. That means you can create a printout of it,
you can put it in a safe location next to your will or something like that.
And that way you have a way of getting back online without having to rely on an out-of-band person.
Yeah, yeah.
I definitely store those.
I'm seeing a pattern here.
Yeah. Security guy.
We're professional paranoids.
What can I say?
Well, here's one that I think I'm going to catch you on.
Do you have a sticker on your phone "If lost, find..."?
I do not.
I do not.
It would mess up the esthetic of my phone
and I don't know if I could deal with that.
Well, I mean, actually, I have a true confession: I don't have one either.
I really should.
But yeah.
It would be a good idea, though.
So it is a good idea.
And another good idea is on your account-- when you have your account with your cell phone provider,
you can add an additional layer of security beyond just the password-- a PIN number.
So like when you call to change your service, they ask you for that.
What do they call it?
They have a specific name for it.
I think you've mentioned that once before, it was when someone is trying to force their way into account.
Yeah. Yeah.
So account takeover.
ATO is the acronym we use in the security space.
So we want to prevent that if someone is trying to get into your account that they be able to do that.
So this is ATO defense.
Did you get that one?
I absolutely do that one.
Okay.
Well, maybe the last one I can get you on, which is a hard one.
This is the-- we'll call it the "extra credit paranoid one" is that-- and I can tell you from personal experience, this has happened.
Your family member goes on a trip.
Say, for example, whitewater rafting and they lose their phone, right?
And it happens to be a $1200 new phone.
Can you imagine how awful that would be?
Speaking hypothetically.
Yes, of course, speaking hypothetically.
And what I propose is that you have a travel phone.
When you upgrade-- have you upgraded your phone recently?
I'm about to.
Awesome.
So what you do is take your old phone and use it when you travel,
especially if it's to a remote location, or an area where you might potentially have a high risk of-- difficulty of recovering.
And that's an example travel-- Do you have that?
I do not. No, I'm going to fail on that one.
Okay.
So Jeff's score was six.
Six out of eight.
Okay, that's really good.
So there you go.
I'm going to wrap it at that.
And if you'd like to hear more Tech Talks, please drop us a comment below.
And before you leave, please remember to click Like and Subscribe.