Latest news with #FIDO2
Techday NZ
2 days ago
- Business
- Techday NZ
Yubico urges stronger passkey rules to boost digital security
Yubico has called on security leaders to reassess the current implementation of passkeys as the industry moves away from traditional passwords. Passkeys have been developed as an alternative to passwords, aiming to improve both security and user convenience. According to Yubico, the transition to passkeys is gaining considerable momentum globally, but significant risks remain if organisations and individuals do not address the nuances in passkey types and fallback options. Christopher Harrell, Chief Technology Officer at Yubico, stated, "The global momentum behind passkeys represents one of the most exciting shifts in authentication history. The technical specifications that enable this shift are FIDO2 and WebAuthn, and their implementations are now widely known by the consumer-friendly name 'passkeys'. As the creator of the first passkeys, passkeys in security keys, Yubico is proud and humbled to have helped initiate and continue to drive this transformation. Yet, the work isn't done. Not all passkeys are equal, not all users have the same needs, and leaving insecure fallback methods in place can provide a false sense of security." Harrell outlined a number of distinctions between passkey types, focusing primarily on two: synced passkeys and device-bound passkeys. Synced passkeys store credentials in the cloud and allow users to access them across multiple devices, providing convenience but raising concerns about the security of the sync mechanisms and cloud accounts on which they rely. Individuals and organisations handling sensitive information, or those facing heightened risks, may find synced passkeys insufficient. In such cases, device-bound passkeys offer additional protection. These credentials do not leave the hardware device on which they are created, mitigating threats like phishing, account takeover, and recovery fraud. According to Harrell, device-bound passkeys have two major forms. The first uses smartphones or laptops, which are convenient but sometimes inconsistent due to usability issues with technology such as QR codes, Bluetooth connectivity, and relay access reliability. The second form employs hardware security keys, such as YubiKeys, which Harrell described as offering the "gold standard" in passkey security because of their portability and consistent experience across platforms. Harrell emphasised the importance of not allowing insecure fallback mechanisms, such as text message verification or code-generation apps, to remain in place, even when device-bound passkeys are implemented. He said: "Attackers understand this and actively downgrade to insecure, phishable mechanisms to avoid the phishing-resistant security passkeys provide." For organisations, Harrell recommended that Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) demand configurability and control from identity providers. He commented, "Passkeys in YubiKeys and Windows Hello for Business are better together, offering non-exportable credentials that cannot be silently synced, phished, or copied. These passkeys can provide clear visibility into how and where they are stored, which enables more consistent support, audit and incident response processes." Harrell suggested specific steps, including enforcing only device-bound passkeys within identity providers, requiring device-bound credentials by policy, disabling synced passkeys for enterprise use, and removing all non-FIDO fallback methods. Yubico's recommendations reflect the company's views on shaping more robust policy around digital authentication. Harrell also addressed product managers tasked with implementing passkey functionality, advising them to support security key options rather than exclude them, and offering Yubico's assistance to those encountering technical or usability challenges. He said, "Don't exclude security keys; it often takes more effort to block them than to support them. And if you're stuck, technically or from a usability perspective, Yubico is here to help. We've partnered with governments, Fortune 500s, and identity platforms to solve many challenges at scale across the globe." He continued, "As a product leader or engineer rolling out passkey support in your application, you are shaping the future of digital identity and safety. If you're building a banking app, social network, government portal, an identity provider, or anything else, you are also deciding who gets access to higher levels of protection." Yubico outlined the practical benefits of robust passkey policies, stating that strong measures can reduce account recovery events, lower operational costs, and increase organisational resilience. For individuals, especially those at heightened risk, reliable and accessible authentication is essential. Device-bound security keys can also assist people with accessibility needs by providing a consistent and tactile experience that avoids the complications of screen readers and complex gestures. Harrell asserted, "Authentication should be adaptable and flexible, not rigid and monolithic. Higher-assurance security is not just for the enterprise; it's a lifeline for millions." Groups identified as needing the strongest protections include government officials, legal workers, journalists, high-profile executives, developers, security researchers, activists, and those without reliable access to personal devices. The risks are not theoretical, as Yubico noted that status can change rapidly due to events or exposure, requiring swift improvements in security posture for protection and peace of mind. Yubico recommended supporting or requiring security keys as a core element of passkey strategies, demanding configurability from service providers, and ensuring that all users can choose the level of protection suited to their circumstances.
Business Wire
30-07-2025
- Business
- Business Wire
Strata Identity Named a Sample Vendor in Gartner® 'Reduce IAM Technical Debt' Report
BOULDER, Colo.--(BUSINESS WIRE)-- Strata Identity, the Identity Orchestration company, today announced it has been named a Sample Vendor in the 2025 Gartner report titled 'Reduce IAM Technical Debt' by Nat Krishnan and Erik Wahlstrom. We believe being mentioned as a Sample Vendor in this Gartner report demonstrates the unique value we provide for customers looking to rationalize their identity stack and unify SSO without refactoring hundreds, sometimes thousands of applications. As hybrid and multicloud environments become the norm, legacy identity systems and siloed architectures have created technical debt and operational burdens. Strata's Maverics platform enables organizations to unify IAM silos through identity orchestration and unified single sign-on (SSO), allowing enterprises to support the coexistence of multiple identity providers (IDPs) without rewriting legacy applications or disrupting business. Rationalizing IAM Without Rewriting Applications Maverics decouples identity from applications, making it possible to layer in modern protocols like SAML, OpenID Connect, and FIDO2—even in environments still running legacy WAM, LDAP, or homegrown authentication mechanisms. This enables centralized policy enforcement, federated session management, and simultaneous support for multiple IDPs to ensure IAM resilience. 'We believe being mentioned as a Sample Vendor in this Gartner report demonstrates the unique value we provide for customers looking to rationalize their identity stack and unify SSO without refactoring hundreds, sometimes thousands of applications,' said Eric Olden, CEO of Strata Identity. 'IAM technical debt has quietly become one of the biggest roadblocks to cloud transformation. Strata's Maverics platform helps enterprises modernize at their own pace, unify siloed systems, and secure access without disrupting legacy infrastructure.' Reducing IAM Technical Debt with Orchestration The Gartner report cites five top contributors to technical debt: custom and siloed IAM tools, nonstandard and legacy enterprise applications, incomplete discovery process, poor IAM hygiene, and complex and incomplete enrollment of applications and services. As the report explains, 'IAM teams must break down the applications and services into categories that are based on their type and their existing support for IAM controls. They must collaborate with application owners to pick the appropriate IAM modernization strategies and collaborate with them on a phased modernization approach. The applications must then be prioritized based on the business impact as identified by the stakeholders. Leverage orchestration, proxies and connectors where needed as an alternative to replacing and rebuilding existing legacy applications. Wider adoption of identity standards and protocols for all integrations will prevent further accumulation of technical debt going forward.' Strata helps organizations operationalize these recommendations through its identity orchestration layer that bridges incompatible identity systems, vendors, and environments—turning modernization into an iterative, low-risk process. By abstracting identity logic from individual applications, Maverics enables seamless policy enforcement, failover, and user authentication across hybrid and multicloud environments without rewriting apps or disrupting user experiences. Gartner Attribution and Disclaimer Gartner, 'Reduce IAM Technical Debt,' by Nat Krishnan and Erik Wahlstrom, 23 June 2025. Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product, or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. About Strata Identity Strata Identity enables organizations to orchestrate and modernize identity without disrupting existing infrastructure while maintaining a frictionless user experience. By decoupling identity from applications, Strata's Maverics platform unifies SSO, can rationalize redundant IDPs, and ensures continuous access during outages via IDP failover. It enables organizations to extend zero-trust controls across human, machine, and autonomous AI identities. Led by CEO Eric Olden—co-author of the SAML standard—Strata also created the Identity Query Language (IDQL) and open-source Hexa project to help standardize multi-cloud identity management. Learn more at and follow us on LinkedIn and YouTube.
Khaleej Times
25-07-2025
- Business
- Khaleej Times
UAE: No more OTPs? Here's how banks will fight scams
One-time passwords or OTPs are now outdated in the face of the dramatic rise in sophisticated banking frauds, a Dubai-based cybersecurity expert told Khaleej Times, following news that UAE banks will gradually stop sending one-time passwords (OTPs) via SMS and email for digital transactions starting July 25. Instead of OTPs, banks will shift to authentication via mobile banking apps, using in-app confirmation features. Cybersecurity expert Rayad Kamal Ayub praised UAE banks and regulators for 'adopting groundbreaking authentication technologies to secure transactions, safeguard customer identities, and provide frictionless user experiences". 'The Central Bank of the UAE has taken decisive steps since 2024, spurred by persistent calls from industry leaders and media like Khaleej Times, to overhaul traditional authentication methods — especially OTPs — which have proven vulnerable to modern hacking techniques,' he added. Rayad, who is also managing director of UAE-based Rayad Group, also shared emerging authentication technologies, and how each type encounters fraud risks and redefines customer trust in the UAE banking sector. 1. Passkeys & FIDO2 authentication 'The era of easily compromised passwords is drawing to a close', noted Rayad. Passkeys, built on the FIDO2 (Fast IDentity Online 2) standards, enable password-less authentication by leveraging cryptographic keys stored directly on a user's device. When combined with biometric sensors — like face ID, touch ID, or Android's equivalent — passkeys offer a seamless, one-touch login experience. Key features: - Passwordless, leveraging asymmetric cryptography for security - Biometric integration (facial recognition, fingerprints) for effortless access - Resistant to phishing attacks, SIM swaps, and credential stuffing that are frequently used by scammers Rayad said UAE banks are piloting passkey-based logins to replace or augment OTPs, drastically reducing the risk of interception or duplication. 'Because of this, customers benefit from smoother, faster access to services, while institutions see a drop in account takeover attempts. 2. Decentralised Identity (DID) Traditional identity systems often rely on central databases, making them lucrative targets for cybercriminals. Decentralised Identity (DID) puts control back in the hands of users through cryptographically verifiable credentials stored on personal devices or digital wallets. Key features: - User-controlled digital identity, minimising reliance on central authorities - Secure onboarding and KYC (Know Your Customer) processes without exposing data to a single point of failure - Backed by global initiatives such as the EU Digital Identity Wallet, which influence regulatory direction in the UAE Rayad noted DID not only enhances privacy but also boosts resistance to large-scale data breaches. Several banks and fintech startups abroad are exploring DID frameworks, enabling customers to share only necessary fragments of their identity for transactions or onboarding. 3. Behavioural biometrics This works unlike traditional biometrics that use fingerprint and facial recognition. Behavioural biometrics authenticate users based on how they interact with their devices — such as typing rhythm, swipe patterns, mouse movements, and device handling. This continuous, invisible layer of authentication operates in the background, constantly monitoring unusual behaviour. Key features: - Continuous authentication — no need for repeated logins - Detects subtle deviations from a user's normal behavior, flagging potential fraud instantly - Non-intrusive, preserving the seamless user experience Some banks are integrating behavioural biometrics into their mobile apps and online banking portals. Technology can detect when an account is being accessed by someone other than the legitimate user, even if the correct credentials are provided, offering an early warning against fraud, explained Rayad. 4. Post-quantum cryptography (PQC) Rapid advances in quantum computing threaten to render existing cryptographic algorithms obsolete. PQC proactively arms banks against this looming risk by employing new algorithms designed to withstand quantum attacks. Key features: - Uses quantum-resistant algorithms for data protection and authentication - Recommended by leading authorities such as NIST (National Institute of Standards and Technology) - Ensures future proofing of banking systems as quantum capabilities mature Forward-thinking UAE banks are beginning to test PQC solutions, especially for securing high-value transactions, internal communications, and sensitive customer data. Early adoption ensures readiness for the quantum era and demonstrates industry leadership in digital security. 5. Hardware authenticators There are physical security keys, such as YubiKeys, that provide an extra layer of defence by requiring users to possess a tangible device for authentication. Unlike SMS codes or app-based OTPs, hardware authenticators are immune to malware, phishing, and remote access threats. Key features: - Possession-based multi-factor authentication (MFA) - No reliance on mobile networks or internet connectivity for validation - Highly secure against malware-infected devices, phishing, and unauthorised remote access Rayad said wealthy individuals and corporate clients are adopting hardware authenticators to safeguard access to sensitive accounts. Some banks now offer security key support for executive and VIP accounts, acknowledging the growing sophistication of targeted attacks. 6. AI-powered deepfake detection As facial and voice authentication gain popularity, so do threats from deepfakes—artificially generated images, videos, or audio designed to impersonate legitimate users. AI-driven deepfake detection tools analyse nuanced characteristics, such as liveness, temperature, and micro-expressions, to distinguish between real and forged identities. Key features: - Liveness detection using AI to confirm presence of a real human - Infrared scanning and micro-expression analysis for enhanced accuracy - Protection against spoofing attacks targeting facial and voice biometrics banks are already implementing liveness tests and deepfake detection on their mobile apps and at ATMs. These measures ensure that innovative authentication methods remain robust against emerging threats and reassure customers about the safety of biometric logins. 7. Cloud-based identity platforms Managing authentication infrastructure in-house is costly and complex. Cloud-based identity platforms—often delivered as Identity-as-a-Service (IDaaS)—allow banks to deploy advanced authentication solutions that scale with demand while staying compliant with evolving regulations. Key features: - Centralised identity management for all digital channels - Scalable and cost-effective compared to traditional on-premises solutions Rayad observed some UAE banks are migrating to cloud identity platforms to streamline onboarding, authentication, and authorisation across mobile, web, and branch channels. This not only enhances security but also delivers a unified, frictionless customer experience. More secure digital banking future Rayad reiterated as fraudsters evolve, so must the technology that protects the financial ecosystem. By moving beyond vulnerable legacy systems like OTPs and embracing tools such as passkeys, decentralised identities, behavioural biometrics, post-quantum cryptography, hardware authenticators, AI-powered deepfake detection, and cloud-based identity platforms, UAE banks are building resilient defenses against fraud while unlocking seamless, user-friendly digital experiences. 'The UAE's commitment to innovation not only safeguards customers but also strengthens the country's reputation as a global leader in digital finance. The rapid pace of adoption today points toward a future where security, convenience, and privacy coexist — delivering banking experiences that are as secure as they are effortless,' he concluded.
Daily Mirror
01-07-2025
- Daily Mirror
Urgent alert for everyone with a Gmail account - don't ignore 6 vital new rules
Gmail users are being urged to stay alert and follow important new advice. There's a fresh security alert for email users and this time the attacks are hitting Google and Gmail accounts. These popular platforms are some of the most safe and secure in the world with users not only protected by advance spam filtering but also safer ways to log into accounts via multi-factor authentication. Although these features keep the majority of people safe, now is not a good time to become complacent. It's been confirmed that Russian hackers recently found a way to bypass some of Google's security measures. That's left some accounts open to attack. This latest danger was spotted by security researchers at Google Threat Intelligence Group. It's since been confirmed that targeted attacks have already taken place which is why this warning is so important to be aware of. So, how does this threat work, and should you be worried? As most people are aware, Google accounts are highly secure, with users needing to use multiple methods to access services such as Gmail. These includes all-important two-factor authentication, which sends a message to a secondary device when trying to access accounts - without that code there's no way to log in. However, it seems Russian cyber crooks have found a way to target older phones and other devices that are unable to handle this extra verification step. Google offers another security method called app passwords, which are special 16-digit codes aimed at keeping less modern devices safe. Unfortunately, because app passwords skip the second verification step, hackers can steal or phish them more easily. According to Malwarebytes, the crooks used this method to target prominent academics and critics of Russia. "The attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation," Malwarebytes explained. "While the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account." Although this was a highly targeted attack, it doe not mean the general public might not be next. "Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future," Malwarebytes warned. If you are concerned by this new attack, security experts at Malwarebytes have issued advice on how to stay safe. • Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch. • The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords. • Regularly educate yourself and others about recognising phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing. • Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don't have to remember yourself. • Keep an eye on unusual login attempts or suspicious behaviour, such as logins from unfamiliar locations or devices. And limit those logins where possible. • Use security software that can block malicious domains and recognise scams.
Forbes
30-06-2025
- Business
- Forbes
Why The Slow And Steady Adoption Of Passkeys Is A Good Thing
Kevin Dominik Korte: IT Innovation Strategist, Board Member. Expert in identity management, AI and open-source solutions. Since its initial launch in mid-2022, passkey technology has led a relatively quiet existence without garnering much attention. However, an increasing number of websites have recently started supporting the new concept of passwordless sign-ins. Built on the FIDO2 and WebAuthn standards, passkeys have been heralded as the long-awaited solution to replace insecure passwords. The technology quickly gained the support of tech giants, major brands and open-source enthusiasts. After all, it promises an end to phishing and credential theft, bringing with it phishing resistance, no shared secrets and seamless biometric integration. Two years since the first implementations, we've seen an uptick in adoption on consumer websites, as the FIDO alliance highlighted on the occasion of the first "World Passkey Day" on May 1. To date, almost half of the top 100 websites offer passkey integration. Unfortunately, success on the consumer side of things is only half the story. Enterprise adoption remains stubbornly slow. While passkeys offer security and usability advantages, sprawling legacy systems and complex regulatory obligations have caught enterprises between the allure of innovation and the inertia of established processes. Let's dive into the three major types of problems slowing down broader passkey adoption. Despite technological advances, passkeys also come with several technical disadvantages in enterprise settings. The keys are device-bound, relying on secure enclaves or hardware security modules to store private keys. Transferring them between different devices hinges on proprietary and incompatible protocols. Apple's passkeys do not seamlessly interoperate with Android and vice versa, leaving IT departments to wrestle with compatibility gaps and inconsistent user experiences. This dependency introduces a host of complications for organizations, such as employees switching between corporate laptops and desktops, bring-your-own-device policies and shared workstations. Unlike passwords, which are platform-agnostic, passkeys require careful orchestration across a fragmented ecosystem of devices, operating systems and browsers. While some enterprise password solutions offer support for passkey technology, this adds another piece of software to the growing list of applications. And then there's legacy integration. Enterprises have invested in their IT systems, and many legacy systems rely on non-web applications. Passkey was not available yet when IT departments mapped out their application and system requirements. As a result, retrofitting these environments demands significant engineering resources, ongoing maintenance and specialized expertise in protocols like WebAuthn. The cost and complexity of such projects can be daunting, especially when weighed against the perceived incremental benefit over existing multifactor authentication (MFA) solutions companies already have in place. It's no wonder many organizations choose to maintain parallel authentication systems, undermining the very security and efficiency gains that passkeys are meant to deliver. Beyond the technical, there is the human element as well. Decades of password-centric workflows have defined habits for users and administrators. The introduction of passkeys represents a fundamental shift. It's not only how people log in, but also how they think about it. For passkeys to be widely adopted, we must change how people perceive authentication, passwords and cybersecurity in general. The adoption rates of similar security technologies, like MFA, and the responses to cybersecurity training give us a flavor of the challenges that lie ahead when it comes to convincing administrators, who in turn have to convince their end users. Yet, IT departments are even more worried about the lack of fallback and reset processes. These threaten to disrupt established help desk routines. What happens when a device is lost, stolen or otherwise compromised? How do you provision passkeys for temporary staff, contractors or disabled users who cannot use biometrics? While it's true that most IT departments have long-established procedures for these questions, they will face these questions again when transitioning to passkeys. The lack of unified support for passkey resets and recoveries compounds the issue. Today, passkey recovery depends on proprietary cloud services or complex key escrow arrangements, which may not align with corporate security policies or regulatory requirements. Until we find a standardized solution for these operational questions, IT leaders will remain hesitant to mandate passkeys as the sole authentication method. Even if we solve the human and technical issues, regulatory and compliance considerations will slow deployment. Enterprises operate under stringent compliance mandates, including GDPR, HIPAA and PSD2. While passkeys offer strong security guarantees, they introduce new ambiguities around data privacy, especially involving biometric data. Biometrics are typically stored locally and never transmitted, but organizations must still demonstrate compliance and reassure stakeholders that sensitive data is adequately protected. Further, IT and HR have to harmonize these arrangements with bring-your-own-device and similar IT policies. What's more is IT departments must carefully plan and secure partial deployments and transition periods. Partial adoption creates security blind spots, though, combining the shortcomings of passwords and passkeys. We're Getting There: Incremental Progress Is A Feature, Not A Bug Despite these headwinds, surveys suggest that nearly 90% of enterprises are piloting or already using passkeys for customer-facing deployments. However, only a fraction of them have rolled out passkeys organization-wide. On the enterprise side, the most successful implementations have taken a phased approach. High-risk user groups are migrated to passkeys first while existing authentication methods remain an option for everyone else. This incremental strategy allows organizations to realize immediate gains. It reduces phishing, improves security and enhances the user experience, while gradually building the trust and expertise needed for broader adoption. Ultimately, the slow path to enterprise passkey adoption is not a failure of technology but a reflection of the complex realities of large-scale IT. As with any paradigm shift, success depends on a pragmatic blend of technical innovation, user education and regulatory alignment. For now, passwords may be on notice, but writing their obituary—at least in the enterprise—would be premature. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
