After years of tempting signals that a password-free future is just around the horizon, you’re probably still not feeling any closer to it.
“Unshackling” is an intriguing phrase to employ in favour of a system that requires you to carry around a gadget, that may be physically linked to your wrist, that sites can detect the make and model of using a DRM-like system to guarantee you purchased it from an authorized whitelisted seller. However, after ten years of effort on the issue, the FIDO Alliance, an industry organization focused on safe authentication, believes it has finally located the missing piece of the jigsaw. The major idea that FIDO hopes will eventually fix the new device issue is for OS systems to include a “FIDO credential” manager, which is akin to a built-in password manager.
Instead of physically keeping passwords, this technique will save cryptographic keys that may sync between devices and are protected by the biometric or passcode lock on your device. Rather than supporting a half-dozen whitelisted suppliers, the new strategy is to become reliant on only three giant US-based operating system manufacturers (Microsoft, Apple, and Google), who will lock up all your keys and make switching to a rival difficult.
They will, however, be unable to assist you unless you allow them to scan your forehead or right hand and preserve an encrypted record of those digital biometrics. Just make sure to read the Terms of Service changes and the National Security Letters that are delivered to such firms.
Passwords are a near-perfect type of protection for a very limited set of people with strong cognitive function, discipline, and an inner motivation to stay safe. “Something you know” will be there for a long, long time for individuals who require true security and choose to make things tough by using 30+ character passwords and never utilizing password managers.
The peddlers of “something you have” and “something you are” (biometrics) are targeting a different market. They are marketing to individuals who enforce security on others (domesticated users who require convenience) and are looking for a low-cost, low-maintenance alternative.“To be honest, we’ve always had this great goal of ‘Let’s move beyond the password,’ it simply took till everyone had mobile phones in their pockets,” Brand adds. Google joined FIDO just a few months after it was founded in 2013. “Hopefully, it will be a little behavioural adjustment for the users, but the technology is a tremendous leap ahead.“
The most important objective for FIDO is a radical transformation in account security that will render phishing obsolete. Attackers have mastered the art of fooling users into accidentally handing away their passwords, and even two-factor authentication codes or permission prompts may be used to their advantage. Such frauds enable illegal profit, but they have also been used in espionage and catastrophic cyberattacks that have influenced geopolitics and world events.
Even if FIDO has finally discovered the perfect formula, passwords will not vanish suddenly for a variety of reasons. The most crucial point is that hardly everyone owns a smartphone, let alone numerous smartphones that can backup each other if one is lost or stolen.
And it will take years for everyone all over the world to have access to newer devices and operating system versions that enable FIDO’s passwordless push. Meanwhile, IT firms will need to retain both passwordless and password-based login procedures.
FIDO is striving to help this transition in its new white paper and elsewhere, but the path will undoubtedly be difficult, as with any other tech transfer. Furthermore, despite FIDO’s approach being a significant security advance over passwords in many aspects, it is not without flaws. Its success will be determined by the level of security implemented in each operating system. You’re probably all too acquainted with the agony of having to rely on the authentication process of every website and service with which you have an account, yet no solution is flawless.
The concept of FIDO will just generate a different, albeit perhaps better and more reasonable, set of flaws and points of failure. As FIDO points out, its aim for widespread adoption of passwordless authentication is intended to be a general-purpose solution that may not always meet the most stringent security standards.
After that, the tech sector will still need to translate FIDO’s white paper into genuine features that are simple to use and convert consumers into passwordless enthusiasts.
