Major tech companies looking to move away from passwords

A recent announcement from major tech companies, including Apple, Google, and Microsoft, outlines plans to move away from password authentication in favour of FIDO. What challenges do passwords present, what is FIDO, and what benefits will it have?

What challenges do passwords present?

It can be argued that passwords are man’s oldest form of security, whether to keep uninvited guests from attending a party or to keep an organisation exclusive. When the first computers were manufactured, user security would typically have been achieved using a password, and to this day remains the most common method for user authentication.

Typical users generally favour passwords over random characters and pin numbers as they can be made from easily remembered phrases. For example, a password could start with the individual’s name, their place of birth, and then where they live. Additionally, users will often use the same password amongst multiple accounts so that they only have to remember the one password.

Now, anyone who has the slightest bit of experience in security can already see the serious flaws with passwords used by humans. There is absolutely nothing wrong with modern password technologies, but they are only effective when the password is strong. Using trivial passwords such as “password” can be guessed by hackers extremely fast (they typically have password dictionaries that try the most commonly used passwords). Furthermore, users who use the same password for multiple accounts are left extremely vulnerable when one account is hacked (as this gains entry to all other accounts).

Thus, we find that modern password systems are flawed not because of their programming but because of the passwords chosen by users. Even with modern systems requiring users to use a mix of different letters, numbers, and symbols, people still find ways to create obvious passwords (such as p@$$w0rd).

What is FIDO?

In recognition of the challenges presented by users, three major tech companies (Apple, Google, and Microsoft) have announced that they will be working towards FIDO to replace passwords. FIDO (Fast Identity Online) is an open industry association that focuses on creating authentication systems without the need for passwords. Instead of using software-based authentication, FIDO takes advantage of device, hardware, and physical properties to develop authentication methods such as biometric data, TPMs, and security keys.

The use of devices and physical objects to provide authentication makes it extremely difficult for hackers to clone, as security keys of sizes 256-bit and above are practically impossible to brute force, and biometric data can be extremely intricate, making it difficult to replicate (such as iris patterns and fingerprints). Additionally, a device (such as a smartphone) can combine on-device keys with biometric data to create a secure platform that can only be hacked if a hacker has the device and biometric data from the owner.

For FIDO to authenticate a user, the server and device will initially create a public/private key pair upon device registration (i.e., sign up) with private keys stored internally. Whenever the user wishes to connect to the server, the device communicates with the server to initiate a challenge that the server provides to the device. The device then attempts this challenge using other authentication data (such as biometrics), and once completed, the answer is sent back to the server. In essence, FIDO takes the technology that drives SSL certificates and uses that to authenticate users.

What benefits will FIDO provide?

Undoubtedly, if FIDO replaces passwords, then the most significant advantage is that hackers will have a much harder time trying to access individual accounts. Without access to a physical security device linked to a service, it would be almost impossible for a hacker to spoof the device.

Users of FIDO may also find improved convenience as scanning fingerprints and faces are generally faster than manually typing in a password. As faces and fingerprints do not change with time, users will not be required to remember log-in details for different services.

However, FIDO may also present some challenges to those who lack access to smartphones, those who do not wish to use a smartphone for authentication, and those who do not want devices scanning their biometric data that, if stolen, could lead to serious violations of privacy. The need for biometric data may also encourage physical attacks whereby criminals can either force a user to place their finger onto a device or, worse, simply remove the finger for quick access.

Luckily, there are no reports of such crimes happening, and this may be due to how biometric systems work (for example, the finger needs to be connected to a body to increase its capacitive effect), but that isn’t to say that it won’t ever happen.

Overall, the use of device authentication is a step forward in the right direction for user security, and it is time for passwords to be put to rest.