The end of the password is near – at least if you believe the ads are from Apple, Google, and Microsoft. The three internet giants want to integrate a unified password-free authentication process into their platforms. The basis for this is the work of the FIDO Alliance (Fast Identity Online), which has developed open and secure standards for identifying users when accessing applications and services on the web since 2013.
Along with the World Wide Web Consortium (W3C), FIDO members introduced FIDO2 in 2019, a measure aimed at making passwords unnecessary. It works as follows: if a person wants to register for a service via FIDO, a key pair is generated on the user’s machine. The public key is sent to the server and the private key is stored securely on the end machine in what is called a FIDO Authenticator. Access to this authenticator can be secured using biometric methods such as iris scanning, fingerprint scanning, or face recognition. Alternatively, tokens of devices that connect to a computer or smartphone via USB, NFC, or Bluetooth can also be used for this purpose.
When logging in to said service, the end device owner must prove ownership of their private key. Only when this is done successfully is the public key exchanged between the user and the web service. The requesting service is only informed via the public key that the person logging in already has the private key. Hardware tokens such as radios or USB devices as well as computers and smartphones with built-in cryptographic chips that use operating systems such as Windows 10 or Android Release 7 or later act as secure authentication for private keys. You can keep the keys safe.
The most used passwords of the year – and they are hacked quickly
The process has been tested and working. However, previous apps required users to sign into each website or app using their different terminals so that they could use the passwordless functionality. Two new secure password-free login functions should provide more convenience in the future:
Users should be able to access their FIDO credentials – also known as a “passkey” – from all of their devices without having to sign in again for each account. This also applies to completely new devices that are turned on.
Users can now use FIDO authentication on their mobile devices to log into an app or website on a nearby device, regardless of the operating system platform or browser.
Apple, Google and Microsoft have announced that they will incorporate these functions into their platforms within a year. “Ease of use is critical to the mass adoption of multi-factor authentication,” said Andrew Shikiar, CEO and Director of Marketing (CMO) at FIDO Alliance. We welcome the decision of the internet giants to support this easy-to-use innovation in their platforms and products. Shikiar expects others to follow suit, so there may be an increase in additional FIDO implementations.
“This achievement is evidence that the entire industry is working together to increase protection and eliminate legacy password-based authentication,” said Mark Reacher, Google’s senior director of product management. Announced plans to make FIDO technology available on Chrome, ChromeOS, Android, and other platforms. Kurt Knight, Apple’s senior director of platform product marketing, also emphasized the importance of working together on new and more secure login methods that “provide better protection and eliminate password vulnerabilities.”
For consumers, the process should become a normal part of their lives, said Alex Simmons, the company’s vice president of identity software management at Microsoft. “Any viable solution would have to be more secure, simpler, and faster than the traditional passwords and multi-factor authentication methods in use today.” Simons is optimistic about the future: “We see a promising future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to expand support across Microsoft applications and services.”
Experts have long called for better security mechanisms for user authentication. “Although in 2022 we know that passwords are inherently insecure, getting people to take care of them remains a challenge,” Merritt Maxim, director of research and security specialist at analyst firm Forrester, told The Wall Street Journal. Passwords are “internet cockroaches” – annoying, persistent, and well worth taking the time to kill.
Passwords can be intercepted, spied on, or hacked through multiple attempts. This works because many internet users feel comfortable choosing their passwords and also use them multiple times for different services. At the end of February, the German ICT industry association Bitkom reported that 29 percent of the more than 1,000 Internet users surveyed in Germany used the same password for many online services, even if it posed a significant security risk.
In general, people are familiar with the problem. After all, according to Bitkom, three-quarters pay attention to a mixture of letters, numbers, and special characters when creating new passwords. However, they are usually not willing to change their passwords on a regular basis. Only 38 percent of users would like to do so, and only 18 percent use a secure password generator or secure password to create and manage secure passwords.
Sebastian Artz, Head of Cyber Security and Information at Bitkom, warns that “always using simple or the same passwords is negligent.” Many criminals use digital dictionaries and common password lists, which they can use to quickly identify weak passwords via automated comparison. “Strong passwords, for example for email accounts that require particularly high security, are then an absolute must.” The security expert warns that common input patterns—starting with a word followed by a number and a special character at the end—are easy to remember, but easy for criminals to anticipate and exploit.
Artz recommends using two-factor or multi-factor authentication, where the login must be confirmed with a second factor, such as an SMS code or a phone call. However, so far only 37 percent of users in Germany have used it.
Security experts say there is still a long way to go in a passwordless future. FIDO2 is a relatively new standard with corresponding teething issues, says Stefan Schweitzer, CEO of Nevis Security AG. Many companies and organizations work on components such as authentication services, browsers, operating systems, or devices that process biometric data or security tokens. This results in a large number of possible combinations of software and hardware. It will be a few more years before they all work together perfectly, and providers will have to make adjustments over and over in the meantime.
In addition, the process must first gain the trust of users, says analyst at Forrester Maxim. Although the FIDO2 system does not pass on biometric data, privacy-conscious users in particular may be reluctant to use their face or fingerprints to unlock devices and services. Trust in the cloud infrastructures of Apple, Google and Microsoft is also required. Especially if the system is to function automatically and conveniently in the future, FIDO2 passkeys should be able to be distributed to a variety of devices across platforms via provider clouds. Strong encryption is required here for security. FIDO Director Shikiar asks for patience “but we must not forget that getting rid of passwords is a journey, not a sprint”.