New Phish-Resistant Security – FIDO Keys

The Harsh Reality of Modern Cyber Threats Today

Here’s a sobering statistic: phishing was responsible for 84% of business breaches in the UK in 2023/24.

Nearly all of them were down to human error.

Let that sink in for a moment.

Despite our best efforts with extra security measures like complex passwords and Multi-Factor Authentication (MFA), cybercriminals are still finding ways to exploit human error.

As a business owner, this might make you feel vulnerable, and rightfully so. But you’re not alone in this fight.

The Rise and [Anticipated] Fall of MFA: A Brief History

Remember when setting a strong password was all you needed to keep your accounts safe? Those days are long gone. As cybercriminals became more sophisticated, the humble username-password combination proved woefully inadequate.

Enter Multi-Factor Authentication (MFA).

For a while, MFA seemed like the perfect solution. It significantly improved security for many businesses and individuals. However, as with any security measure, determined cybercriminals eventually found ways to overcome it.

The Next Evolution in Cybersecurity: Passkeys and FIDO Security Keys

Imagine a world where you don’t have to worry about your employees falling for a clever phishing email. A world where logging in is as simple as tapping a small device, with no complex and easily forgettable passwords to remember or codes to input.

This isn’t science fiction – it’s the reality of passkeys and FIDO security keys.

What is FIDO?

First, what exactly is FIDO?

[Pronounced: FIE – DOE.]

FIDO stands for Fast Identity Online.

An alliance was formed in 2013 between the big tech giants like Google, Microsoft and other cybersecurity experts who continue to work together to improve online security and to “help reduce the world’s over-reliance on passwords”.

This coalition is also known as the FIDO alliance.

What Are Passkeys?

Passkeys are a ground-breaking technology that ties your login to a specific device.

Think of it as a unique, digital key that only works with your specific ‘lock’. It’s based on well-established public key infrastructure (PKI) technology.

Here’s how passkeys work:

1. When you set up a passkey for a website or app, two digital ‘keys’ are created – one public, one private.
2. The public key is stored on the website or app’s server. The public key is effectively useless without the private key, therefore, is not considered sensitive information, unlike a password.
3. The private key is stored securely on your device.
4. When you log in, the website/app checks if your private key matches the public key they have stored.
5. If they match, you’re in! If not, access denied.

This system offers a much greater level of protection because no secret authentication information is transmitted during this exchange. The website or app you’re logging into is only checking to see if the two ‘digital keys’ match.

Passkeys are built on the global FIDO2 authentication standard, supported by the FIDO alliance.

What Are FIDO Security Keys?

FIDO security keys take this concept a step further. These are physical devices that store your passkeys, offering an extra layer of tangible security. Here’s what you need to know:

1. FIDO security keys contain passkeys and operate using the same public key infrastructure technology.
2. The main difference is that the passkeys are tied to a portable, physical security device that needs to connect to your laptop, computer, or tablet to authenticate your credentials.
3. The current market leader for producing FIDO security keys is Yubico, with their product line called YubiKeys.
4. Currently, YubiKeys can store a maximum of 25 passkeys, with the potential for increased capacity in the future.

The main advantage of FIDO security keys is that the same key can be used across multiple devices, so users are not restricted to using one device.

However, they do require the user to have the key with them to complete the authentication – both their core advantage and a potential disadvantage if the user leaves their key at home.

Why This Should Matter to You

As a business owner, you might be thinking, “This sounds great, but what does it mean for me?” Here’s why you should care:

1. Phishing Resistant: Unlike passwords or even MFA codes, passkeys stored on FIDO security keys can’t be stolen or tricked out of you by a crafty phishing email. A hacker using an unauthorised device will not be able to access your data and resources because they need to physical security key to be able to log in.
2. User-Friendly: No more frustrated employees who can’t remember their complex passwords or have lost their phones with the MFA app. Logging in becomes as simple as inserting the security key and tapping it to authenticate credentials.
3. Consistent Across Platforms: Major tech companies like Google and Microsoft are all on board with passkeys and FIDO security keys, meaning you’ll be able to use them across various devices and platforms.
4. Peace of Mind: Imagine being able to focus on growing your business, knowing that your digital assets are protected by cutting-edge technology. That’s the peace of mind that passkeys and FIDO security keys can offer.

What If I Lose My Security Key?

Now, you might be wondering, “What if my employees forget or lose their security keys?” It’s a valid concern, and it’s why we recommend registering multiple keys for each account. Yes, there will be a learning curve, but think of it as an investment in your business’s future security.

Looking Ahead: The Future of Cybersecurity

As we look into the future, the cybersecurity landscape will continue to evolve. There are already discussions about the potential role of AI and deep fakes in future identity theft scenarios. While it’s too early to predict the exact impact, one thing is clear – staying ahead of the curve is crucial.

Your Next Steps

As a small business owner, embracing these changes might seem daunting. But remember, you don’t have to go it alone. At Lumina, we’re committed to guiding small businesses like yours through the ever-changing cybersecurity landscape.

We’re rolling out passkeys, FIDO keys, and other cutting-edge security measures as part of our PRISM Business/Enterprise packages. These comprehensive security solutions are designed to give you peace of mind, allowing you to focus on what you do best – running and growing your business.

Ready to take your cybersecurity to the next level? Let’s have a conversation about how we can secure your digital future together. Your future self (and your data) will thank you.