Thanks To Apple, Microsoft And Google, Passwords Will Finally Die


As a vignette to illustrate the state of the digital identity world in 2022, I can do no better than you tell you that when I was in San Diego recently (at a gathering of some of the brightest stars in the digital identity universe) I had need to change my flight. I opened up my airline app and (presumably because I was logging in from a new location) was required to complete an additional authentication step, which was to tell them my favourite breed of dog.

Now I am sure that some years ago, when setting up this account, I had been asked to choose a couple of additional security questions that must have included a canine conundrum, but of course I had forgotten all about it. The good news was that after a couple of guesses, I went for “Spaniel” and I was in (don’t worry, I’ve changed it now so there’s no need to email me about this gross security violation). While I was doing this, one of my fellow digital identity experts was taking a photograph of his passport to e-mail to someone so that he could check in. It was all very 1994, except we were being annoyed and confused with much smaller screens.

The state of internet security is pathetic. It’s no wonder that fraud is at such epic levels when vast swathes of the internet still depend on passwords for security. Passwords are just not security and “password security” is no such thing.

This is hardly news and this must be the ten millionth column pointing it out, since it must have been evident about a week after the world went online and smart people demanding the end of the password ever since.

Just to give one example, at the dawn of the millennium Bill Gates was saying that smart cards should replace passwords and then in 2004 he told the RSA Security Conference that the password must go because it cannot “meet the challenge” of keeping us secure. It was true in 1994, it was true in 2004 and 2014 and it will still be true in 2024!

So we all agree that passwords are a bad idea but we are all forced to use them. I just had to reset the password for one of my hotel apps because the password stored in my handy password manager was somehow wrong and after three attempts to log in to try and book at hotel room I got locked out.

(As for many other services, they may as well just automatically send me straight to the “I forgot my password” page to save time when I try to log in.)

Interestingly, the short term result of this was that I opened one of my other hotel apps and used that to book a room. Weird to think that in this modern world, my choice of hotel for a business trip was based on which password I can remember, rather than loyalty points or tea and coffee facilities.

Upper Case, Lower Case, Head Case

Passwords are well beyond their sell-by date. Last year, the top five passwords used in the USA, according to password manager Nordpass, were “123456”, “123456789”, “12345”, “qwerty” and “password”. It’s hardly surprising that there are so many hacks, frauds, account takeovers and all sort of other shenanigans that stem from the outdated view that passwords are some sort of security solution. They are not, and we (ie, the digital financial services sector) have known for years that they must die.

They should be replaced by real cryptography, preferable where the cryptographic keys are stored in tamper-resistant hardware rather than in software. A great many people already have suitable devices. Last year more than half of US teens and adults had tablets and smartphone penetration, which continues to rise, will be almost 90% this year. These devices are near-prosthetic. The average smartphone user will tap the device 2,617 times a day. Around half of US smartphone users say they “couldn’t live without their devices” and a third of them look at their phones more than 50 times every day.

So if most people are most of the time attached to a device capable of strong authentication of keys in tamper-resistant hardware… why are we still using passwords?

Well, we may not be in this bind for too much longer. I think that the recent announcement from the FIDO Alliance and Microsoft
MSFT
, Apple and Google
GOOG
that they will support the expansion of the common passwordless standard created by FIDO and the World Wide Web consortium (W3C) is really significant and should have attracted more media attention.

The three internet giants have said that they will be using the new multi-device FIDO credentials, sometimes referred to as “passkeys”, to begin to rid the world of passwords. They have committed to support passwordless sign-in that will work across all the desktop, mobile, and browser platforms that they control. That is a large portion of modern technology, covering everything from laptops and desktops to smartphones, tablets, and smartwatches. The announcement covers the most used operating systems (Android, iOS, Windows, and macOS) as well as the three most used web browsers (Chrome, Edge and Safari).

A passkey is a credential, tied to what is known as an “origin” (which means a website or an application that you want to log in to) and a physical device (an authenticator). Passkeys allow users to authenticate without having to enter a username, password, or provide any additional authentication factor. These credentials follow the FIDO and W3C Web Authentication (WebAuthn) standards. Websites and apps can request that a user create a passkey to access their account.

The authenticators are FIDO-compliant devices which are used to, as you might imagine, authenticate the user. This includes special purpose devices (eg, USB sticks), as well as mobile phones and other computers which meet the authenticator requirements (they have to have secure tamper-resistant storage for cryptographic keys, essentially).

Last Lost Login

Apple got behind FIDO a couple of years ago. It calls its own implementation “Passkeys in iCloud Keychain” and what that boils down to is that in the future when I log in to my airline app or my hotel website in the future, it will authenticate me through my iPhone. Kind of like how “Log in with Apple” works today, except it will work everywhere that implements the FIDO standard.

Similarly, Microsoft announced a while back that some of its customers could go passwordless, and it followed up last year by telling people to start to get rid of their passwords altogether. You can already use Windows Hello to sign in to any site that supports passkeys but in the near future you will be able to sign in to your Microsoft account with a passkey from an Apple or Google device.

The ability to log in to Windows using an Apple Watch, to Google using a Microsoft tablet and to Apple using Android phone is surely a game changer and a step towards ending the fragmentation of identity solutions that leaves the typical user struggling with password managers, sticky notes and mnemonics.

Two decades on and Bill Gates’ call for smart cards to replace passwords is about to be answered, although the smart cards will be inside mobile phones and laptops and tablets rather than sitting in wallets. As the MIT Technology Review commented recently, these alternatives to passwords are finally winning. It’s not before time.



Source link

Previous articleNvidia RTX 30-series price cuts are finally happening
Next articleHere’s How long it takes to mine a single Bitcoin