Question # 12-4
The problems associated with passwords lie in the fact that passwords are easily forgotten no matter how clever the mnemonic for recalling them is. Some sites require users to change passwords regularly, and people forget which password is current especially for the sites that they rarely visit. Many people are careless with passwords and often record them on sticky notes or computer files. When a computer is infected with malicious code, it searches for words such as the password or a variant, and when the file is downloaded, all the user sites and accounts are open. Some people who store their password on their computers may never know that their computers have been infected by a malicious code that has downloaded the passwords from the computer until it is too late.
Question # 12-5
You should not use your Facebook account credentials to authenticate yourself on non-Facebook websites because you have no way of telling what else that site is doing with your Facebook credentials. It could be saving your credentials in a database that may or may not be secure, or it could be selling your credentials to criminals in countries like Nigeria.
Question # 12-6
Other alternative authentication methods other than passwords include i. identification with a picture, when the user chooses a picture, several gestures and the places on the picture where he/she will trace them, or when the user can simply name the people in the picture or provide personal information about them; ii. voice recognition; iii. biometric methods such as the use of fingerprints and retinal scan; iv. FIDO (Fast Identity Online) whose development is by a consortium including Lenovo PayPal and later Google, which involves the use of an authentication device purchased as part of their mobile device, PC or separate US device.
Question # 12-7
Advantages of FIDO (Fast Identity Online): i. After the user has been authenticated, a plug-in to the user’s browsers will use the private data to generate a one-time password (OTP). It, therefore, means that the password is only used once by the browser and sends it to the website. Hence, it substantially reduces the need to exchange private data meaning that the interception of such data over networks is not easy. ii. In FIDO, the user’s authentication information never leaves the user's device. Therefore, passwords and PINs, for instance, are never sent over a network. iii. Private Key data must be sent only once to the user, once to each FIDO respiratory, and once to each website the user visits. iv. FIDO encourages the community’s feedback on its performance and any problems in usage, which means that this service will be client-oriented and well received by the public. v. It involves the use of a device with unique keys meaning that the owner of the device can authenticate access to a device or some data, unlike a password, where the security only depend on confidentiality and the strength of the password. vi. Having been accepted by many major industry players like Google, Lenovo, and Pay Pal, FIDO will be widely accepted across many platforms and, therefore, will easily be available across platforms.
Question # 12-8
How FIDO Works To use FIDO one needs a vendor associated device. The vendor provides a secret value, as a private key, one to the device and one to an independent third party called the FIDO respiratory. The plan calls for many respirators to exist their purpose is to provide FIDO authenticating to webservers. After the user has authenticated, a plugin in the user's browser will then use the private key data to generate a one-time password (OTP; this means the password is used just for one session with a website) and send to the website. There the web server will pass the OTP to another FIDO application, the validation cache. The first time the cache will encounter an OTP from a user, it will contact the FIDO respiratory to obtain the user's private key data. It uses this data to validate the OTP.
Diagram Browser or Webserver Requests App
FIDO One time password
Website Plugin webserver
FIDO Validation cache
Authentication Private Key
Voice Token Vendor
Password or PIN
Question # 12-9
Conditions that will determine whether FIDO becomes a standard industry include: There is the support of large well-financed companies to the consortium that is developing the FIDO.
The consortium creates an open standard, but before that, it is using the opinions of the public for troubleshooting of the application, which will ensure flawless operation after the launch.
For whatever length of time that the present validation techniques, like the secret key, keep on encountering the security imperfections, there will dependably be a requirement for a much more adaptable yet better at confirmation systems like the FIDO, which implies the FIDO will dependably be very much of interest.
Question # 12-10
FIDO is gaining popularity amongst vendors and users. Passwords are more vulnerable to hackers than they are to the enterprise users and consumers that create them. The realization by the end-user that their data is of value is quite important. For instance, a company like Facebook has built its fortune of over a billion dollars on the personal data provided willingly by users. Hence, the protection of the value of such data is quickly extending beyond the scope of passwords.
One cannot keep varying passwords across many websites. It is out of such growing concerns that both users and vendors have seen the importance of finding alternatives in data protection.FIDO, therefore, has come in handy and thus it is growing popular. Online identity services that deal with identification and authorization are becoming more and more popular with the vendors. It, therefore, means that users will also need to be concerned and pick the options that are defining the days to come. It is obvious that FIDO is quickly gaining momentum due to end-user awareness of the risks that stand before them using conventional devices and data authentication techniques.
In a show of growing use of FIDO, some big companies like Google, for instance, have indicated the inclusion of FIDO U2F open standard in its Chrome browser later this year. Moreover, the multifactor authentication options have recently been built in smartphones in the mainstream Facebook, Twitter, GitHub, and Google it is all about addressing strong authentication so as to minimize the use of passwords.
Additionally, device vendors like Apple, Samsung in some of their latest devices likeIphone5 and Samsung Galaxy S5, have included fingerprint readers. More effort and money are being pumped into such authentication options that include voice and facial recognition.