2 minute read

Let’s kill the passwords for good

By Vinoth Venkatesan

After years of teasing hints that a password-less future is just around the corner, you’re probably not feeling any closer to that digital liberation. Ten years into working on the issue, though, the FIDO Alliance, an industry association that works explicitly on secure authentication, thinks it has finally identified the missing piece of the puzzle.

The alliance said it has finally developed a mechanism that will be able to replace passwords as the primary form of authentication for the first time.

FIDO has a long-standing connection to authentication innovation, being responsible for the USB hardware-based auth keys and part of the W3C that issued the WebAuthn security specification.

The primary concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a “FIDO credential” manager, which is somewhat similar to a built-in password manager. Instead of storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your biometric or passcode lock. Unfortunately, security implementations with extra bits (like USB auth keys) break what FIDO said is a crucial rule in consumer products.

To that end, FIDO announced, in collaboration with W3C, a new version of WebAuthn that will support the password-less world (eventually!).

FIDO’s vision for a password-less future

FIDO is looking to leverage the mobile devices that are already there in peoples’ hands for a password-less future. A smartphone is something that end-users typically have, and virtually all consumer-focused two-factor authentications already use the user’s smartphone.

FIDO mentions Apple’s adoption of “Passkeys,” which uses iOS biometrics and iCloud keychain to verify identities, as one example of its proposal. Passkeys can authenticate users without a password for supported apps, and this is one of the proven password-less authentication options already in consumption.

The alliance also pointed out that prevailing multi-factor like One Time Password (OTP) is prone to phishing and can be made to enter on malicious sites.

According to FIDO, The framework for password-less authentication relies heavily on mobile devices and the underlying security of the operating system.

Another crucial component of the proposal is Bluetooth, which would turn devices into roaming authenticators, used as a proximity login protocol. It is not a surprise considering FIDO’s previous work in this area.

We are looking to use Bluetooth in two scenarios in this deployment 1) proximity-based authentications and 2) to authenticate a new device – the password sharing option will get eliminated when switching to a new smartphone.

FIDO clarifies that the whitepaper detailing its proposal does not change its standards. Instead, it’s a change expected from authenticator vendors to make things easy in their implementation.

The paper also recognizes that FIDO’s proposal wouldn’t necessarily boost security to AAL3 levels but said it would still be an improved version of using plain passwords or phishable second factors. When asked if this is the death knell for passwords – This is something only time will confirm for us. After almost a decade of work, people indeed seek relief from passwords.

About the Author:

Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.

This article is from: