How Far Are We From a Passwordless Future?
One of the biggest challenges for tech companies trying to create a unified approach to any problem has been creating a standard every company will actually adhere to. Take the example of Fast ID Online, better known as FIDO.
FIDO is a set of authentication standards that enable password-less sign-ins without losing speed, efficiency or security. The FIDO Alliance was created in 2013 as an open industry association whose stated mission is to develop and promote authentication standards in order to reduce technology’s reliance on passwords. Part of its remit is to promote the development of — and compliance with — standards for authentication and device attestation.
Despite a growing consensus across the tech industry that password use needs to be reduced, if not replaced, they remain an important security feature in most organizations. In an attempt to circumvent that reality, effective public key infrastructures (PKI) have emerged, encompassing a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
But even though effective PKI and strong authentication solutions have existed for years, barriers to widespread adoption persist. According to FIDO, consumers do not like the user experience, and online service providers do not want the cost and complexity of developing and provisioning their own dedicated solutions. So, what now?
Committing to FIDO
On May 5, which has since been designated as World Password Day, Apple, Google and Microsoft announced they had joined forces and committed to expanded support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The goal? To offer a technology-agnostic security specification for strong authentication.
Unlike password databases, FIDO stores personally identifying information (PII) such as biometric authentication data locally on the user's device to protect it. FIDO's local storage of biometrics and other personal identification is intended to ease user concerns about personal data stored on an external server in the cloud. It also reduces the work required for developers to create secure logins for mobile clients running different operating systems on diverse types of hardware.
The commitment to FIDO by the three tech companies received accolades from security experts. Even the Cybersecurity and Infrastructure Security Agency (CISA), an Arlington, Va.-based agency that falls under the U.S. Department of Homeland Security, expressed its support.
Jen Easterly, a CISA director involved in the Shields Up! Initiative, said in a tweet: "👉SUPER COOL! Important step forward in helping make us all safer online. Great work, @Apple, @Google, @Microsoft, @w3c & @FIDOAlliance! #WorldPasswordlessDay"
Whether that commitment and public support will finally give FIDO widespread adoption is still debated.
Related Article: A Zero Trust Security Primer
The Differences Between Passwords and Passkeys
World Password Day may sound like a gimmick for the tech industry, but it has honorable intentions. It is meant to foster good password habits that help keep online lives secure.
Passwords are not only challenging to remember and keep track of, but they are also one of the most common entry points for attackers. According to a blog post by Microsoft — and citing data from Microsoft Azure Active Directory (Azure AD) authentication log data for 2022 — there are 921 password attacks every second, nearly doubling in frequency over the past 12 months.
Passwords are one of the easiest ways of getting into accounts, wrote Vasu Jakkal, corporate vice president for security, compliance, identity and management at Microsoft, in that blog post. And mining passwords is a relatively easy process: Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords.
By backing FIDO's mission to create a secure passwordless sign-in standard, the three companies are promoting the use of passkeys. These multi-device FIDO credentials offer users a platform-native way to safely and instantly sign into any of their devices without a password. A passkey is just about impervious to phishing attacks and lets users sign in simply by authenticating their identity with the use of their face, fingerprint or device PIN.
There are two other additions that will become available with this multi-company commitment:
5 Modern Data-Driven Applications That Transformed Employee and Customer Experiences
How Louis Vuitton, Carrefour, Tesco, Pepsi Co., and PVH made the switch to NoSQL
How to Boost Employee Sentiment in 2022
Boost employee engagement and retain workers in a hybrid environment
Empowering and Enabling Teams in the New Hybrid Workspace
As hybrid workplaces become the norm, intentionally embracing this new way of working is one key to success.
Power Hybrid Work With Tech That Connects
Robin recently surveyed 300+ professionals to better understand what great leadership looks like in a hybrid world.
- Users can automatically access their passkeys on many of their devices without having to re-enroll for each account.
- With passkeys on their mobile device, users are able to sign into an app or service on nearly any device, regardless of the platform or browser the device is running.
Related Article: How Security Technology Enables the Digital Workplace
More Mobility for Users and Their Devices
The Apple, Google and Microsoft commitment may signal that passwordless authentication will be made available sooner than anticipated — and with little effort from users, said Mike Van Delinder, product manager at Minneapolis-based Jamf, which helps organizations manage their Apple environments.
When using a platform that embraces these new specifications, users will be able to authenticate their identity by relying on the security mechanisms built into their device. Relying on a device's built-in biometrics, like Face ID or Touch ID, to authenticate apps and services reduces the burden on users to create and manage a litany of passwords.
It also improves mobility. Users can register for passwordless authentication on one device, and even if that device is lost or replaced, the cryptographic information is synced to a new device, so that users can still access their cloud data. Past iterations would have required people to purchase physical, external key-like devices for the storage of this cryptographic data. There was little recourse if the device was lost or forgotten.
“We're getting closer to the dream of no passwords for individual services, and no extra physical items, beyond their mobile phone, for someone to remember to carry around,” Van Delinder said. "It remains to be seen how these new capacities will translate from the consumer landscape and into the enterprise.”
Related Article: Enterprise Data Security Still Has a Long Way to Go
Will No Passwords Mean New Security Risks?
Passwordless sign-in has the potential to provide a good combination of security and ease of use. But some caution is warranted. History has shown that the exception scenarios are typically the easiest attack vectors to bypass primary security mechanisms, said Avi Turgeman, CEO and co founder of New York City-based privacy and security company IronVest.
For that reason, there are concerns that there will be far less secure protocols and procedures implemented for scenarios such as lost devices, new device registration and other similar situations.
“While FIDO does have potential to improve the authentication, it does not address the inherent cyber risks of post-login threats,” Turgeman said, noting that while FIDO stores PII locally on the user's device to protect it, there are inherent risks with that approach and alternate solutions to storing biometrics in a non-centralized manner.
All of this remains to be seen. The success of these efforts will depend on how and when developers and business owners choose to implement FIDO, and where and what bypass mechanisms they put in place to maintain security and user experience.