USDA Signs on to FIDO to Deter Phishing Attempts

Here’s Why You Don’t Store Biometrics in a Honeypot: Use Fido!!

Here’s Why You Don’t Store Biometrics in a Honeypot: Use Fido!!

For various reasons, the U.S. Department of Agriculture faces challenges in issuing personal identity verification (PIV) cards to all its workers, despite these credentials being essential for accessing government systems. This presented a problem in combating fraudulent attempts to breach these systems—until USDA developed a pilot program featuring FIDO, or Fast Identity Online.

The issue arose because USDA employs a significant number of seasonal workers who are ineligible for PIV cards. To address this, USDA introduced a waiver process that allowed employees to obtain a user ID and password. However, it quickly became clear that these efforts were vulnerable to sophisticated credential phishing campaigns. 

USDA sought a technical solution that could deliver phishing-resistant multi-factor authentication (MFA) and reduce the risk of malicious actors tricking employees into providing their login credentials. What’s more, they required a solution that offered the same protections as a PIV card while addressing the decontamination challenges present at many USDA sites.

The answer was FIDO, which USDA now touts as a major step forward in fighting phishing attempts. A biometric authentication system, FIDO has allowed approximately 40,000 registered users to securely access USDA’s network without the vulnerabilities associated with usernames and passwords.

Calling FIDO

FIDO authentication has been around for several years, although its adoption is not yet widespread. It relies on physical characteristics, such as a fingerprint, rather than something that can be easily guessed or stolen, like a password. Organization can use FIDO alongside other authentication methods, such as usernames and passwords or two-factor authentication. This layered approach ensures that even if one method is compromised, the other can still verify the user’s identity.

Apple, Google, and Microsoft have been working on a multi-device FIDO credential known as passkeys. According to the FIDO Alliance, global awareness of passkeys has grown significantly in the two years since their introduction—from 39% familiarity in 2022 to 57% in 2024.

“Many different organizations are already using FIDO authentication standards, mostly fintechs, social media companies, search engine providers, email service providers, and gaming companies,” said Jennifer Pitt, Senior Analyst of Fraud and Security at Javelin Strategy & Research. “But only a couple financial institutions have adopted FIDO standards. The biggest hindrances are the time and cost of updating current technology that may not be compatible with FIDO standards.”

Exit mobile version