FIDO Authentication: The End of Passwords?
The password is dead, and up is now down, and you’re never gonna use a password again. Okay, that might have been a bit of an exaggeration, but let me explain. We all have passwords, right? Right. They’ve literally been the cornerstone of security for at least as long as we’ve had computers.
Table of Contents
The Era Of Passwords
Passwords are not perfect in terms of security. We talk all the time on this website about the things which you need to do to add an extra layer of security on top of just a password, things like multi-factor authentication and permissions, pruning, and things like that. Those are things that you can do if you’re an admin or just a general end-user or about topics like, to make sure that your password isn’t the only line of security because we all know and understand that passwords are very imperfect in terms of security.
For instance, let’s talk about what you need to have a good password. And again, we’ve talked about this before in the article How Do We Stay Safe In The Digital World?. But just for review, you need a long password, something like 25 to 30 characters long which should include everything from uppercase to lowercase letters, special characters, and numbers. It should be lengthy, complex, it’s crazy.
And yes, a lot of websites don’t really require much of those, as long as it meets their eight-character limit, which is woefully insecure.
But those long and complex passwords are a lot to remember, especially if you’re not working in the cybersecurity space, where maybe you have some tools at your disposal for free (Like : LastPass). And you are a general lover of technology.
While a password manager seems somewhat basic and trivial to us cybersecurity folks and people that generally consider themselves to be technical to your average nontechnical user, something like a password manager can be fairly revolutionary in terms of security, and even then, they may not even use the password manager effectively.
And so they’ll still have a lot of gaps in their security profile just based on their passwords.
We’re just going to not do passwords anymore. No, really, I’m dead serious. We can do that. And in fact, what if I tell you that companies like Apple, Google, and Microsoft all agree and are going to try to implement that theory by the end of 2022!
Believe it or not, in a joint effort, those three tech Giants again, Apple, Google, and Microsoft are all joining forces to implement what’s called Fido authentication technology which was explained in a joint press release from the three tech giants.
This will theoretically eliminate the vulnerabilities of passwords and instead replace them with a much more secure and much quicker alternative.
So let’s slow down. What exactly is Fido authentication? Basically, from a day-to-day end-user perspective, you’re basically just using your phone to authenticate it instead of remembering a password.
But more specifically, Fido is a system using public-private key cryptography where whenever a user registers a device to an account, they get both a public and a private key.
The public key goes to the service and they maintain themselves the private key.
The user then creates different key pairs for different accounts they’re using and on a per device basis.
So let’s say whenever I’m logging into a website on my desktop, I can log in on my browser and it will prompt me for login. Instead of using my password, my phone will get a push notification and I will basically provide it with a proper key pair to log in.
Or say I’m logging in using my phone, my computer will get a push notification.
Basically, the same thing I provide the proper key pair, it authenticates that I am, in fact me, and then I’m able to log in from there.
Basically speaking, you’re not using something that, you know, being your password to authenticate. It is something that you have the private key to authenticate into things. So, instead of attackers having to find out your password to be able to break your account, they would have to take your private key, which is a much harder proposition.
And this all gets done much faster and it’s much easier to the end user, again, in theory, than a password is.
Here’s the cool part, because we’re talking about Apple, Google and Microsoft. This will work whether you’re logging in through your device or you’re logging in through a web browser.
This will work for Google Chrome, Safari or Microsoft Edge, and it will even be cross-platform. But even that said, if these tech giants are able to implement this and it really takes off and users choose to use it, then other platforms that aren’t included in this list, like Firefox, may also follow suit if they haven’t already, but this is also cross-platform for the devices as well. So let’s say you’re trying to log into your YouTube account using your Google credentials to like this video through Microsoft Edge on your iPhone.
Are Passwords Dead?
Can we officially declare passwords dead?
Well, while the security impact would be immense, it ultimately hinges on organisations themselves and the user base to implement this technology for themselves.
That’s also not to say that attackers won’t find their own ways to circumvent the security of this practise either.
As you’ve seen, historically, cybersecurity is a giant game of cat and mouse where defence creates a new technology offence innovates defence innovates themselves and then red team innovates themselves and so the cycle continues until we all end up in a giant black hole.
In the meantime, we’re probably going to be using passwords well into the future either way because again it’s up to the organisations to implement the technology it’s up to the user base to implement it for themselves so we’re probably going to have at least a handful of accounts that are still using passwords in some way, shape or form.
But if we’re able to get to a point in the future where we’re no longer using passwords and we’re using something more secure like public private key cryptography to be able to authenticate then I think that would create a bit more of a secure future but again time will tell.
For all I know, some technology like quantum computing will come out and blow this all out of the water anyway but if you still use passwords there are some huge mistakes that you should be aware of and if you don’t implement the fixes for those mistakes then you’ll end up likely with an egg on your face.
Leave a Comment
Subscribe: Trusted By 1M+ Readers
Get the weekly Tech Update straight to your inbox.