Can Better Security Lead to Better Usability? Yes, and FIDO Is the Answer

Posted by Dmitri Tyles on December 21, 2021

Security and User experience

By Dmitri Tyles, Senior Director of Engineering, Deltek

Security and trust are foundational elements of Deltek’s offerings and business operations. As part of our commitment to delivering innovative products with superior service and support, we are dedicated to exploring new ways of infusing emerging technology to enhance the user experience. One way we are doing that is by leveraging FIDO or Fast Identity Online, to improve the security and usability our industry-leading solutions for Deltek Project Nation.

The Catalyst

On May 12, 2021, President Biden issued an executive order (EO) on Improving the Nation’s Cybersecurity, stating that for both public and private sectors, “prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” As instructed by the EO, the Office of Management and Budget (OMB) released the Federal Zero Trust Strategy, a much more detailed document to establish a blueprint for implementing what is being referred to as a zero trust architecture

This architecture includes secure system design and deployment where all actors and components are not trusted by default and have to meet a higher bar for proving their identity and permissions. In addition, the EO explicitly states that “The Federal Government must lead by example,” expecting that the technologies recommended within the blueprint for civilian government agencies should also be adopted by the private sector.

So what does that mean for an average employee accessing their corporate system or a consumer accessing their financial or e-commerce application? Based on what we’ve learned over the last 10+ years, a user’s typical expectation would be longer passwords, more multifactor authentication (MFA), more clicks and more effort to enter all kinds of extra two-factor authentication (2FA) codes. And unfortunately, all of these can end up sacrificing usability and user experience for the sake of better security.

However, and probably for the first time in software security history, we are adopting technologies required to improve security that will lead to fewer clicks, less effort and hopefully improved usability for employees and consumers. The game-changing innovation raising the bar on security, and at the same time, improving usability is FIDO or Fast Identity Online. FIDO is also often referred to as WebAuthn by the name of the standard approved by W3C − the international standards organization for the World Wide Web. We’ll explore what makes FIDO stand out from security and usability perspectives in the following sections.

Security Perspective

I recently presented a session at the Authenticate 2021 Conference in Seattle on FIDO support within Deltek’s Costpoint ERP solution. But, before we get to Costpoint's capabilities, it’s important to understand what makes FIDO so special that it is explicitly mentioned within the OMB blueprint.

The main (by far) security threat that the software industry is facing is phishing − and we’ve been losing this battle as it’s impossible to avoid people clicking on phishing links entirely. As a result, the OMB blueprint specifically requires not just any MFA but phishing-resistant MFA − and this is where FIDO becomes critical:

“Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such approach, and so will help many agency systems meet this baseline. The World Wide Web Consortium (W3C)’s open “Web Authentication” standard, another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services. … public-facing agency systems that support MFA must give users the option of using phishing-resistant authentication. Because most of the general public will not have a PIV or CAC card, agencies will have to meet this requirement by providing support for Web Authentication-based approaches, such as security keys.”

Effectively, the OMB blueprint mandates that the software solutions must offer either PIV/CAC card or FIDO support, either built-in or through integration with other security products. Considering that the PIV card approach is generally more expensive and harder to scale, that leaves FIDO as is the primary phishing-resistant MFA approach.

Usability Perspective

Putting aside the security benefits of FIDO, the question remains, how does it help improve user experience? As stated in OMB blueprint, the key to usability is: “[FIDO] is supported today by nearly every major consumer device and an increasing number of popular cloud services.”  While FIDO technology does include support for a variety of external security keys, in most cases, there is no need for IT or consumers to buy anything extra.

These days, almost every laptop, tablet, or phone is already a certified FIDO device, capable of securely authenticating a user through biometrics such as face recognition, fingerprint or entering a PIN. For example, Windows Hello in Windows OS is a certified FIDO platform, as is Face ID and Touch ID on iOS or Android phones. And, with FIDO, the concept of passwords no longer exists, with both a user and software passing a high-bar of phishing-resistant MFA with a single Face ID or Touch ID – which is good for security and usability.

FIDO Industry Adoption

Over the past few years, the adoption of FIDO has been steadily increasing in both enterprise and commercial space in U.S. and around the world. Most of us likely already use FIDO authentication when using Face ID or Touch ID to access various financial applications. In September, Microsoft announced FIDO support for all enterprise and personal accounts in their Cloud - along with Target, Verizon, Google and MasterCard, who recently rolled out FIDO security to their employees. BestBuy also now offers a WebAuthn login option as the first alternative to a using a password, above Sign In with Apple and Google options. 

We’ve also seen FIDO adoption within the federal government, including in the last presidential election campaign, where 100% of the DNC staff and approximately 80% of campaign volunteers used FIDO security keys. Another example is the Login.gov website, which has been supporting FIDO for a few years now.

Deltek Costpoint Support for FIDO

So here is where Costpoint FIDO support comes in − Deltek is proud to offer out-of-the-box Costpoint support for this innovative technology and display the FIDO logo on the Costpoint login page to inform our users that they have this option. Deltek Costpoint supports FIDO on all devices, including laptops, tablets, and phones – with both built-in authentication options (Face ID, Touch ID, and PIN) and external security keys, which can be connected through USB, NFC or Bluetooth. The same user can have multiple FIDO devices or keys. And, it’s also perfectly acceptable for the same user to use more than one authentication option – such as single sign-on on a laptop and FIDO on a phone.

In addition to passwordless FIDO authentication (supported in Costpoint since version 7.1.1), in Costpoint 8.1 we also offer usernameless FIDO authentication. With this option, not only does a user not need to enter a password on the login screen but there is no need to enter a user ID either, since it’s taken directly from the FIDO device. This not only improves usability but also allows customers to use Deltek Costpoint in kiosk mode on a shared device with each user securely accessing the system without ever typing anything into the login screen.

As the leading project-based ERP provider for government contractors, Deltek continues to carefully monitor the latest security trends and guidance from NIST and Federal agencies to ensure that our customers are well positioned to secure their systems and comply with necessary regulations. We are proud that we were able to foresee the trend around FIDO and can offer this innovative technology for both on-premise and Deltek Cloud customers, including Deltek’s latest Costpoint GovCon Cloud Moderate offering.

 

About the Author

As Senior Director of Engineering, Dmitri Tyles is responsible for design and implementation of Costpoint ERP family of products and has over 20 years of experience in ERP software business. Connect with Dmitri on LinkedIn.