The Day that Passwords Died (It’s coming soon, really!)
If there was ever a reason to celebrate, it will be the day we no longer need passwords for secure logins and access to websites and apps. For the vast majority of people, passwords have become the bane of their online existence.
Properly utilized, today’s password-based protection is a very sound security measure, especially when paired with two-factor authentication (2FA). It’s just that we don’t properly utilize password protocols, making the whole thing very unsound, not to mention cumbersome.
The Problem with Passwords
Most of us have dozens of password-protected applications and accounts. And most of us create dangerous shortcuts.
Too many of us don’t bother to use any of the terrific password manager programs available that allow us to only have to remember/lookup one complex password. We don’t set up 2FA when we’re given the opportunity. We use the same relatively easy password for multiple minor accounts. We select the “remember my password” option. We use phishable passwords like our own birthday, our partner’s or child’s name, or this password … which is apparently one of the most frequently used: “12345678” possibly second only to “password.”
Our Preference for Ease of Use
We take these chances because we’re in a hurry. It seems like we only want to be safe if it’s convenient. Fortunately, the new passwordless system will accommodate that aspect of human nature.
The new solution will be both secure and simple to use. Logging in to any of your accounts will be as easy as unlocking your phone – whether you use a pin or you’ve opted for facial or fingerprint biometric recognition. In fact, that’s exactly how it will work, when you update your cell phone adding your very own, futuristic “mobile authenticator,” aka multi-device credential, aka sign-in credential, aka passkey.
FIDO to the Rescue
The FIDO Alliance has been working for nearly a decade to solve the challenge of moving beyond password-based identity authentication protocols. This inter-industry technology association includes representatives from many of the top companies in financial, healthcare, technology, and online security services. Importantly, FIDO includes Apple, Google, and Microsoft, meaning the new FIDO solution has their blessing and the passwordless authentication standards will work across their respective platforms and browsers.
Behind the Screen
Without going too deep in the weeds, your smartphone will have a new cryptographically secure token or passkey that’s stored in the cloud (so if you lose or destroy your phone it can sync with your replacement device).
When you try to open a protected website or application, regardless of your operating system, that program will send a prompt to your phone requiring you to verify your identity. But instead of seeing a screen asking for a user name and password, you’ll be asked to authenticate your identity by unlocking the passkey using your phone’s biometric recognition feature or pin number. In other words, it’s as easy as opening your phone.
The phone must be in close proximity to the device the user is using to access the site so the two can sync with a Bluetooth connection.
Easier, Better Security
The soon-to-be out-of-date password-based security systems require that you know or remember something. By necessity that something” needs to be complex because phishing systems are actively trying to guess your “something.”
The FIDO passkey-based security system on the other hand only requires that you have your cellphone with you and that you have your face or fingerprint with you. I know I tend not to leave home, or the room for that matter, without each of those three things.
Unphishable and More Secure
Experts from all walks are putting their reputations on the line touting the security of FIDO’s passwordless solution. They make a strong case.
- It will finally be easy for users to comply with state-of-the-art online security protocols.
- FIDO’s authentication is safer than current passwordless authentication systems that ultimately fall back onto password requirements or are not recoverable with the loss of the device.
- Since it relies on Bluetooth connectivity, only the person present can complete the authentication.
- If the device is lost, its passkey can’t be accessed by another person.
- Since the passkey is in the Cloud, it can be recovered to a new replacement device by secure Bluetooth access and placed onto an already authenticated device.
WHEN will this Change Our Lives?
The technology and passkey support will be available by next year, according to FIDO. A complete transition for the user will take a bit longer, given that websites and apps will need to be reconfigured from their password-based security protocols. For a while, we’ll have hybrid access depending on the site and the application.
How will this Change Our Lives?
But before you know it, we’ll find we’ve eased into a whole new comfortable seamless online experience. We won’t be slowed down by logging in and then re-logging in because we rushed the process the first time.
- More than ever, cell phones will be standard take-alongs since they’ll contain the (literal) key into protected areas of the internet.
- Using the PIN option to open a phone will go away, given that the PIN will be the weak link option for accessing the all-important passkey. Facial recognition and touch ID will the only ways to open phones and access the passkey.
- Phones will become far more personalized vaults and portals into our world. There will be no more parental or partner snooping.
- Overall demand for tech support will drop, given that forgotten passwords are the number one source of consumer tech questions.
- Personal identity and ransomware attacks will drop dramatically.
- Phishing-derived spam emails will decline significantly.
And, last but not least, the FIDO-based system introduced in the next few months won’t be the last word in passwordless authentications. They’ll need to stay one step ahead of cybercriminals who are no doubt already trying to find their way into the system.