Death of the Password? FIDO Alliance Reveals Its New Plan

Credit to Author: Lily Hay Newman| Date: Thu, 17 Mar 2022 12:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

After years of tantalizing hints that a passwordless future is just around the corner, you're probably still not feeling any closer to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle. 

On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. FIDO's members collaborated to produce the paper, and they span chipmakers like Intel and Qualcomm, prominent platform developers like Amazon and Meta, financial institutions like American Express and Bank of America, and the developers of all major operating systems—Google, Microsoft, and Apple. 

The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.

“The key to being successful for FIDO is being readily available—we need to be as ubiquitous as passwords,” says Andrew Shikiar, executive director of the FIDO Alliance. “Passwords are part of the DNA of the web itself, and we’re trying supplant that. Not using a password should be easier than using a password.”

In practice, though, even the most seamless passwordless schemes are not quite there. Part of the challenge simply lies with the enormous inertia passwords have built up. Passwords are difficult to use and manage, which drives people to take shortcuts like reusing them across accounts and creates security issues at every turn. Ultimately, though, they’re the devil you know. Educating consumers about passwordless alternatives and getting them comfortable with the change has proven difficult.

Beyond just acclimating people, though, FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there’s no simple way to log into all of your apps and accounts—or if you have to fall back to passwords to reestablish your ownership of those accounts—then most users will conclude that it’s too much of a hassle to change the status quo.

“Not using a password should be easier than using a password.”

Andrew Shikiar

The passwordless FIDO standard already relies on a device’s biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a “FIDO credential” manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device’s biometric or passcode lock. 

At Apple’s Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as “Passkeys in iCloud Keychain,” which Apple says is its “contribution to a post-password world.”

“Passkeys are WebAuthn credentials with the amazing security that the standard provides, combined with the usability of being backed up, synced, and working on all of your devices,” Garrett Davidson, an engineer for Apple’s app authentication experience team explained at the conference in June. “We’re storing them in iCloud Keychain. Just like everything else in your iCloud Keychain, they’re end-to-end encrypted, so not even Apple can read them … And they’re very easy to use. In most cases, it just takes a single tap or click to sign in.”

If you lost your old iPhone, for example, and you’re unboxing a new one, the transfer process can happen simply through whatever setup flow Apple offers at the time. If you lost your iPhone and decide to switch to Android, or are moving between any other two digital ecosystems, the process may not be quite as smooth. But FIDO’s white paper also includes another component, a proposed addition to its specification that would allow one of your existing devices, like your laptop, to act as a hardware token itself, similar to stand-alone Bluetooth authentication dongles, and provide physical authentication over Bluetooth. The idea is that this would still be virtually phish-proof since Bluetooth is a proximity-based protocol and can be a useful tool as needed in developing different versions of truly passwordless schemes that don’t have to retain a backup password.

Christiaan Brand, a product manager at Google who focuses on identity and security and collaborates on FIDO projects, says that the passkey-style plan follows logically from the smartphone or multi-device image of a passwordless future.

“This grand vision of ‘Let’s move beyond the password,’ we’ve always had this end state in mind to be honest, it just took until everyone had mobile phones in their pockets,” Brand says. Google joined FIDO just months after its formation in 2013. “Hopefully for the users it will be a small behavioral change, but the technology is a giant leap forward.”

To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past. Attackers have become masters at tricking users into unintentionally handing over their passwords, and even two-factor authentication codes or approval prompts can be exploited. Such scams facilitate criminal profit, but they have also played a role in espionage and destructive cyberattacks that have shaped geopolitics and global events.

Even if FIDO has finally found the magic formula, passwords won’t disappear overnight for a host of reasons. The most important is that not all people own a smartphone at all, much less multiple devices that can backstop each other if one is lost or stolen. And it will take years of turnover before everyone around the world has access to newer devices and operating system versions that support FIDO’s passwordless push. In the meantime, tech companies will need to maintain both passwordless and password-based login schemes. In its new white paper and elsewhere, FIDO is working to support this transition, but as with any other tech migration (ahem, Windows XP), the road will inevitably prove arduous.

Additionally, while FIDO’s proposal is a major security improvement over passwords in many ways, it isn’t infallible. Its success will depend on the security of each operating system’s implementation. You’re already likely all too familiar with the nightmare of being forced to trust the authentication scheme of each website and service you have an account with, but no alternative is perfect. FIDO’s vision will simply create a different, if potentially better and more sensible, set of weaknesses and points of failure. As FIDO itself notes, its plan for mainstream adoption of passwordless authentication is meant as a general-purpose solution and may not always fit the most extreme security requirements.

And after all that, the tech industry will still need to turn FIDO’s white paper into actual features that are easy to use and that convert people into passwordless believers. 

“Schemes like Passkey could work and be more secure than passwords as they stand now,” says Johns Hopkins cryptographer Matthew Green. “But if the user interface for inter-device transfers sucks on some devices, it will suck for all of them, which would continue to discourage use.”

After almost a decade of work, people looking for relief from passwords are left to hope that at this point FIDO is too big to fail. When asked if this is really it, if the death knell for passwords is truly, finally tolling, Google’s Brand turns serious, but he doesn’t hesitate to answer: “I feel like everything is coalescing,” he says. “This should be durable.”

https://www.wired.com/category/security/feed/