Why the password’s days are numbered

Why the password’s days are numbered

Passwords have a problem. Lots of people still use the same ones across multiple devices and platforms, meaning that if a hacker compromises one account, they can compromise them all. And hackers are more active than ever, as evidenced by the recent LinkedIn and Twitter hacks. Other technologies, such as biometrics and smart cards, are more secure but they too have their weaknesses.

Before FIDO, authentication was a mess. You’d need a client or a piece of software running on your device. You’d use an authentication method – be it a password, RSA token, smart card or fingerprint – which would authenticate against this client software. The client software would send a signal back to the server, which would say, for example: ‘OK, this is a successful authentication by Thorsten'. It sounds simple, but there were plenty of problems.

For every authentication, you had to implement some sort of software solution for that particular hardware. This was specific to that authentication and couldn't be transferred to anything else. If you had a fingerprint solution, you needed a fingerprint solution running on your server as well as a fingerprint client – and the same with a smart card and an RSA token. These weren't compatible across platforms, so it was really hard to switch devices.

Also, it was very difficult to reuse. If I used my smart card solution in my company, I couldn't also use it for my bank, my online payments with Amazon, or with PayPal. It was tied to my corporate environment, and that was that.

How FIDO is better

The FIDO Alliance creates a FIDO client on the machine. This exists for Android, Windows and the Chrome browser. Instead of authenticating against a piece of software that has to be installed on the machine, Windows 10, Android and Chrome have this built into their systems data. The FIDO code can work with any device that’s FIDO certified. There are more than 100 FIDO-certified solutions now available, including smart cards, fingerprint readers, RSA tokens, and iris-recognition software. So it spans all sorts of use cases.

It’s much more secure and easier to use. Say, I’m authenticating against the FIDO client that’s local on my machine. The FIDO client just sends a message to the webpage saying the authentication was successful. So no password or password hash needs to be transferred across the server anymore. There’s nothing stored on every webpage’s authentication server that can be reused on other sites. To log on to Amazon or Google, you just use the FIDO authenticator to authenticate against the site. Then you can use any device that you’ve enrolled against that site. It completely eliminates the need for passwords.

The FIDO Alliance promotes two types of authentication technology. Universal Authentication Factors (UAF) is the use of biometrics, physical tokens and passwords. The other is Universal Second Factor Authentication (U2F). Every method of authentication has its own weaknesses – passwords can be guessed, smart cards stolen and biometrics faked under certain conditions. But if you combine them, as U2F does, it gives a higher level of security.

Our online security is paramount, both in our personal and corporate lives. The FIDO Alliance is the best way to make sure our data remains ours. I for one won’t be mourning the password’s passing.

To find out how you can stay competitive, check out our  outlining the challenges and opportunities facing 21st-century organisations.