If you like passwords, you’re not internetting properly.
You can never remember them; any decent hacker can exploit their weaknesses; whatever you do to make them safe creates even more problems. You can use password managers like Dashlane, 1Password, and LastPass, which will create unique and strong passwords for all of your accounts, but the software is far from simple. When you choose to use your security from Google, Apple, and Facebook to access services on other sites you’re inadvertently giving them even more power over your online existence. Then there’s two-factor authentication, the system that sends you a second passcode by SMS or through a different app whenever you log into a site; security is no doubt boosted, but it’s still far from failsafe.
Something new is afoot that could get rid of the need for passwords entirely. A new bit of tech called FIDO is ready to completely overhaul the process you go through to log-in to systems. By combining your phone, face, and fingerprint recognition with a new piece of hardware called security keys we could see passwords that lurch from cringey and awful to finally being consigned to the annals of internet history.
“A password is something you know. A device is something you have. Biometrics is something you are,” said Stephen Cox, chief security architect of SecureAuth. “We’re moving to something you have and something you are.”This week, Stephen Shankland, along with staff writer Alfred Ng, explored changes that are coming to liberate us from passwords with cnet, where this article originally appeared. As the realm of secure log-in online evolves, things are going to start to look different when you check your emails, deal with your banking, or use your employer’s network. Here, we’ll explore some of the innovations around online access that’ll get rid of passwords and all their inherent vulnerabilities.
I h8 passw0rds
Even in the good ol’ days of the 1960s, passwords have been a pain in the backside. Back then, an MIT researcher called Allan Scherr dug around for the passwords of his colleagues to further his “larceny of machine time” to keep his own project rolling. Into the 1980s, Clifford Stohl, an astrophysicist at the University of California, Berkeley, was able to track down a German hacker ranging through military and government systems that were left vulnerable when system administrators didn’t bother to amend password defaults.
It’s inbuilt into the nature of passwords to make us lazy. The most secure ones, ones that are long and complex and full of different characters, are innately hard to make up and even harder to remember, and unnatural for us to type to boot. With all this effort involved, it’s little wonder we generally recycle them across lots of sites.
Our laziness presents a huge problem since hackers already know what we use for most of our passwords. There’s a service called “Have I Been Pwned” that holds 555 million passwords that have already been hacked during data breaches. A lot of attacks now get automated with the hackers doing a process known as “credential stuffing”, that is, they try huge lists of username and password combinations to finally hunt down something that works.
Fetch the FIDO
Fast Identity Online, or FIDO, has come up with a system that takes into account all of these issues and solves each of them. Their system introduces a standard use of hardware devices like security keys to authenticate users. The FIDO system is being developed by a who’s who of tech companies, with Yubico, Microsoft, PayPal, Google, and Nok Nok Labs all getting involved.
You can think of security keys as the digital version of your front door key. They work by plugging into a USB or Lightning port and then allowing one digital security key to provide you access across a whole range of websites and apps. It’s compatible with biometrics too, working alongside Apple’s Face ID and Windows Hello. Some keys can even work wirelessly.
The FIDO system will allow websites and online services to get rid of password requirements entirely. Can you imagine a life without having to remember which cat’s name you chose for your Facebook account twelve years ago? Hackers will also have a much harder time trying to get around the system.
There’s plenty of enthusiasm and bold predictions about its future. “Within the next five years, every major consumer internet service will have a passwordless alternative,” according to Andrew Shikiar, executive director of the FIDO Alliance, an industry consortium. “The bulk of those will be using FIDO.”
FIDO will only be compatible with genuine and legitimate websites, which will also see a vast reduction in phishing attacks; a security attack that uses fake email addresses and links to false websites to get you to hand over your log-in and account information. It should also reduce catastrophic data breaches because sensitive account information won’t need to be stored centrally. Even if a hacker does get hold of your password, without the security key it’ll be worthless, and in the long-run FIDO means there’ll be no need for a password to start with.
A world without passwords
To get a better understanding of how FIDO would work to sign in to a site without a password, here’s how it’d go step by step. Once you’re on a website’s log-in page on your laptop browser you’d enter your username and insert your security key into a port. Next, you’d tap a button on the key and then complete authentication using the biometrics on your device like Touch ID from Apple or Hello from Windows.
Keeping things super simple, you’re going to be able to use your phone as a security key, too. For this to work, you’d enter your username and then get a prompt on your phone screen which you’d then unlocks and approves the log-in using whichever biometric system your phone uses. When you’re on your laptop, your phone would communicate with it through Bluetooth, making things super simple.
The concept of multifactor authentication, meaning proving who you are in at least two ways, is the basis for the protection built into FIDO.
What you actually do with FIDO
When you first get your hands on FIDO, things are going to look very much the same as standard two-factor authentication. The first thing you’ll do is enter your normal password then put the physical security key into your computer.
Passwords aren’t disposed of entirely, but it’s a vast improvement than using just a password or using a password in conjunction with an SMS code or from an app like Google Authenticator. Using the password-plus-security key method is the way FIDO currently works when you access Facebook, Twitter, Google, Dropbox, and Microsoft services such as Outlook, and it’ll eventually work on Windows itself.
“Hardware security keys are very, very secure,” said the chief product officer of authentication services company Okta, Diya Jolly. This explains why the system has already been adopted by congressional campaigns, all Google employees, and even the computing systems division of the Canadian government.
When you’re using a consumer service, you’re probably only going to need to insert your key into your device on the initial log-in on a new computer or phone, or when you’re doing something involving money or data like making a purchase or updating your contact details. As simple as companies try to make it, it’s always going to be a hassle to need a security key when you’ve not got it handy.
There are security keys that are already on the market, such as the Yubikeys from Yubico and the Titan from Google. You can pick up the basic hardware for as little as $20 but if you want to go fancy and have USB-C and Lightning port compatibility or wireless connectivity you’re going to be spending around $40. Getting even more advanced, there’s the Ensurity ThinC, the eWBM Goldengate G320, or the Feitian BioPass that all have fingerprint sensors included, a feature that you can expect to see in Yubico models in the near future too.
It’s worth buying more than one key so that if you break one or it gets lost you always have a backup. Multiple keys can be registered for most systems so your spare can be left safe and sound at home in your safe or in the bottom of a drawer in your kitchen somewhere.
Phones are now keys
In 2019 Google added the technology for FIDO keys into Android and did the same thing with its software for iPhones in January this year. The operating system update means that you can get into your Google account through your laptop by using an onscreen prompt on your phone; it just needs to be in Bluetooth range with your laptop at the time. In time, this way of doing things is going to reach beyond Google systems.
To enable FIDO authentication, browsers and websites need to get a feature known as WebAuthn. Because FIDO is now hardwired into the Android OS it can be used on apps too, and now that Apple has come onboard with the FIDO Alliance there should be in-app support for iPhones on the way very soon. Another huge tech firm that is getting behind this technology is Microsoft. They stole the lead on Google when they made Outlook, Office, Xbox Live, and Skype all compatible with no-password log-ins recently. Get a hardware key and set up Windows Hello to recognize your face or fingerprint, or use the hardware key in combination with a PIN, or have the Microsoft Authenticator app running on your phone alongside a hardware key.
FIDO protection against phishing
The same public key cryptography technology that has kept your credit card details safe online for decades is also used in FIDO. By using this type of software it means that the hardware system you use, whether it be a purpose-bought key or your phone, won’t be fooled by a dodgy, fake website – a trick used by fraudsters who go phishing for your account credentials online. Humans aren’t always so great at spotting a fake website when it’s been done well, but security keys only work with legitimate and registered sites so you know you can trust their judgment.
“With security keys, instead of the user needing to verify the site, the site has to prove itself to the key,” said Mark Risher who works as an authentication leader at Google, in a recent blog post. Once Google migrated all of its employees over to security keys there were a total of zero successful phishing attempts at the firm.
By getting rid of the need for passwords, we’re removing a layer of sensitive information that a hacker is able to get their hands on. For IT administrators, this is a vision of heaven. By using FIDO, SecureAuth’s Cox says, companies aren’t going to have to hold “centralized databases of credentials to be stolen.”
Creating new problems
It’s not all milk and honey in the land of security keys. Changing the world over to a place without passwords isn’t going to be a smooth process. The world knows passwords, we use them and we understand them and we all know how they work. Even if we do hate them. No matter your feelings toward your passwords, you have your own little tricks to remember what your favorite book was when you set up your email account in high school twenty years ago.
Getting a security key fully functional isn’t as easy as picking a password. The procedures for registering keys aren’t standard across websites and systems yet. As an example, Twitter won’t accept your backup key because you can currently only have one registered at a time.
Getting your security registered, or enrolled, “is a terrible problem,” said the chief solutions officer of Yubico, Jerrod Chong. He works at the 12-year-old company that manufactures the hardware for security keys and it’s integral to the success of the FIDO Alliance. He does anticipate improvements in the enrollment process, with things already getting much smoother over the last year or so.
When you think about the number of different accounts that you need to be able to sign into, and then consider how many security keys that’s going to take to manage, and it’s clear there are going to be issues in managing so many. Just like your house keys, they can also get broken or end up lost, and when they use Bluetooth there is always a risk the battery will die too.
“Most people are familiar with passwords. It’s something they’ve grown up with. It’s imprinted on them,” said Forrester security analyst Chase Cunningham. “From a consumer level, we’re probably five to seven years out from killing passwords being a reality.”
When trying to bring hardware security keys into a company, it’s not going to be plain sailing. There is the cost for the company to consider and replacements when employees inevitably lose or damage them, and they’re just not going to be easy to have people accept when they’re different from what they’re used to. Two-factor authentication is too much hassle for your average internet user, even when the benefits are massive and obvious.
“Usernames and passwords are still the most prevalent option,” said the co-founder and CTO of Auth0, Matias Woloski, a company selling authentication services. “Nobody wants to take a shot at not providing that option.”
Security keys for the future
As much as there are some problems that will have to be addressed with security keys, there are bigger and more pressing issues with the current way of doing things.
By using physical security keys rather than passwords, a massive swathe of cybercrime that has come about because of passwords is pretty much removed. Being able to reset passwords means having expensive systems that hackers can easily game. Realistically, is it ever possible for a normal person to remember all the strong and unique passwords they’re supposed to have for all the sites that they use?
Using security keys and phones that are powered by FIDO’s system will bring about a passwordless world and bring about a step-change in our currently feeble online security regime, according to Okta’s vice president of product, Joe Diamond. “It’s clearly the future.”