They’re hard to remember, hackers exploit their weaknesses and fixes often bring their own problems. Dashlane, LastPass, 1Password and other password managers generate strong and unique passwords for every account you have, but the software is complex. Services from Google, Facebook and Apple allow you to use your passwords for their services at other sites, but you have to give them even more power over your life online. Two-factor authentication, which requires a second passcode sent by text message or retrieved from a special app each time you log in, boosts security dramatically but can still be defeated.
A big change, however, could eliminate passwords altogether. The technology, called FIDO, overhauls the log-in process, combining your phone; face and fingerprint recognition; and new gadgets called hardware security keys. If it delivers on its promise, FIDO will make cringeworthy passwords like “123456” relics of a bygone age. FIDO leads the way to a passwordless future.
“A password is something you know. A device is something you have. Biometrics is something you are,” said Stephen Cox, chief security architect of SecureAuth. “We’re moving to something you have and something you are.”
Fans are confident enough to make bold projections about its spread. “Within the next five years, every major consumer internet service will have a passwordless alternative,” says Andrew Shikiar, executive director of the FIDO Alliance, an industry consortium. “The bulk of those will be using FIDO.”
Because it works only with legitimate websites, FIDO stops phishing, a type of security attack in which hackers use a fraudulent email and a bogus site to con you into giving up your log-in information. FIDO also eases company worries about catastrophic data breaches, particularly of sensitive customer information like account credentials. Stolen passwords won’t be enough for a hacker to use to log on, and if FIDO catches on, companies might not require passwords to start with.
Here’s one way FIDO-based sign-on works without passwords. You’ll visit a website login page with your laptop, type in your username, plug in your security key, tap a button and then use the laptop’s biometric authentication, like Apple’s Touch ID or Windows Hello.
Conveniently, you’ll also be able to use your phone as a security key. Type in your username, get a prompt on your phone, unlock it, then approve yourself with its biometric authentication system. If you’re using your laptop, the phone communicates over Bluetooth.
FIDO supports the protection provided by multifactor authentication, which requires you to prove your log-in credentials in at least two ways.
How FIDO authentication works
Your first encounter with FIDO likely won’t look much different than two-factor authentication. You’ll first type a conventional password, then plug in or wirelessly connect a FIDO hardware security key.
The process still uses passwords, but it’s more secure than passwords alone or passwords bolstered by codes sent by SMS or retrieved from authenticators like Google Authenticator. This approach — password plus security key — is how you can use FIDO today on Google, Dropbox, Facebook, Twitter and Microsoft services like Outlook.com and eventually Windows.
“Hardware security keys are very, very secure,” said Diya Jolly, chief product officer of authentication service company Okta. That’s why congressional campaigns, the Canadian government’s computing services division and all Google employees use them.
You should buy at least two keys in case you lose, break or forget your main key. With most services, you can register multiple keys, so you can leave one at home or in a safe-deposit box. Yubico’s YubiKey is the #1 Security Key for multi-factor and passwordless authentication. You can purchase your own YubiKey in South Africa here.
“With security keys, instead of the user needing to verify the site, the site has to prove itself to the key,” Mark Risher, a leader of authentication work at Google, wrote in a blog post. Successful phishing attempts dropped to zero at Google after it moved its tens of thousands of employees to security keys.
No passwords also means a decrease in sensitive data for hackers to steal. That’s music to the ears of IT administrators. With FIDO, SecureAuth’s Cox says, companies no longer have “centralized databases of credentials to be stolen.”
It won’t be easy moving to our passwordless future. We’re all used to passwords, and we’re more or less comfortable with how they work. We all have our own tricks for keeping them sorted. “Most people are familiar with passwords. It’s something they’ve grown up with. It’s imprinted on them,” said Forrester security analyst Chase Cunningham. “From a consumer level, we’re probably five to seven years out from killing passwords being a reality.” But, FIDO leads the way to a passwordless future.
To read the full article click here.