Access codes sent by SMS or authenticator apps can be bypassed by clever phishing. Hardware-based tokens make that harder to do. Credit: Cybrain / Getty Images Every business needs a secure way to collect, manage, and authenticate passwords. Unfortunately, no method is foolproof. Storing passwords in the browser and sending one-time access codes by SMS or authenticator apps can be bypassed by phishing. Password management products are more secure, but they have vulnerabilities as shown by the recent LastPass breach that exposed an encrypted backup of a database of saved passwords. For organizations with high security requirements, that leaves hardware-based login options such as FIDO devices. Why use FIDO devices for authentication? The FIDO (Fast Identity Online) standard is maintained by the FIDO Alliance and aims to reduce reliance on passwords for security. It does so by complementing or replacing them with strong authentication based on public-key cryptography. FIDO includes specs that take advantage of biometric and other hardware-based security measures, either from specialized hardware security gadgets or the biometric features built into most new smartphones and some PCs. That makes FIDO and other physical key or token methods more phishing resistant and harder for attackers to bypass. This is the most complex deployment, and many websites don't support it. Many password-management programs do support FIDO, however. This makes it easier to consider adding a physical token key as the second authentication process to better protect your accounts. NIST provides an overview of available authentication tokens. Choosing the right type of FIDO device Start your project by investigating which authentication devices can authenticate with the vendors you currently have as well as potential future vendors. One vendor of FIDO devices, Yubico, allows you to review the vendors they support. Your next decision is to determine what type of connectors your organization's computers and laptops require. We live in a world of multiple USB connections, so you must know if you need USB-A, USB-C, or Lightning connectors. As noted in the instructions regarding vendor setup, plan on deploying not one, but two FIDO keys to ensure you have a backup. Should your only hardware token fail, you will be locked out of your password management program and any other item that depends on it. Tokens can also be used where the need for phishing-resistant multi-factor authentication is needed. By creating a unique key pair for each device and user combination, websites can securely identify and authenticate devices that have been registered with them. The process of logging in is then streamlined, as users only need to prove their identity with a biometric scan rather than entering a password or other security code. All users need to do to complete the login is to either place the token key near the computer or insert it into the USB port. Once you've pressed your finger on the device, it provides authentication to the application accordingly. While FIDO and WebAuthn, a web authentication standard that is part of FIDO2, can make online authentication more secure, they do not eliminate all risks. As with any security measure, stay aware of potential threats and take steps to protect yourself online. This includes using strong passwords and being cautious about sharing personal information or clicking on links from unknown sources. Related content news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Government Government news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security news Immersive Labs adds custom 'workforce exercising' for each organizational role With the new workforce exercising capability, CISOs will be able to see each role’s cybersecurity readiness, risk areas, and exercise progress. By Shweta Sharma Sep 27, 2023 3 mins Security Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe