With FIDO2, is a passwordless future on the horizon?
Everyone hates passwords. They were useful when fewer websites existed, but now that our digital footprint has increased dramatically -- the average person manages as many as 100 passwords online -- passwords are now more of a risk than a solution, writes Reza Zaheri, Chief Information Security Officer, Quantum Metric.
To address the issues surrounding passwords, we must move beyond them altogether. Indeed, the wheels have been in motion for over a decade, with new solutions coming to the market in earnest. But it’s only in recent months that joint support from tech giants like Google, Apple and Microsoft has reached a tipping point, paving the way to a passwordless future.
The problem with passwords
Research by Google revealed that 52% of people reuse the same password for multiple accounts, and they’re often easy to remember, exacerbating the risk of hackers guessing them. Solutions like single sign-on and password managers are available, but these are underutilised by many, whether that’s for reasons of trust, availability, or lack of knowledge.
Most breaches also involve a stolen password or credential, despite this, passwords are still popular. They are familiar, they're easy to set up and usable on any platform. People who aren’t tech-savvy understand them, and if a password is stolen, one can simply create a new one.
There’s been a recent shift towards a passwordless future with multi-factor authentication (MFA) – using biometrics like a face scan or fingerprint, a security key, or a text message with a code. Despite augmenting security (Microsoft claims MFA can block over 99.9% of account compromise attacks) many people either don’t know how to use it, or they’re averse to the technology. And for those who do use MFA, the experience isn’t necessarily seamless – it often involves the extra steps of plugging in a security key, or copying / pasting a text message code. So, people revert to easy - and often weak - passwords.
A passwordless future? The way forward
The solution seems to lie with a partnership between FIDO (Fast IDentity Online) Alliance, and the World Wide Web Consortium (W3C).
Together, they’ve developed FIDO2, an open global authentication standard designed to eliminate the use of passwords altogether, using Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP) as their core components.
In May 2022, Apple, Google and Microsoft announced game-changing commitments to support the FIDO2 passwordless sign-in standard. And this year, all of the major browsers, platforms and operating systems – Apple, Windows, Android. iOS, macOS, Chrome, Firefox, Safari, Edge – will support FIDO2.
How does FIDO2 work?
Let's say you want to log in to a website or app that offers FIDO2 authentication. Instead of using a password, your smartphone will serve as your identity authenticator, by storing a passkey credential created using military-grade public/private key cryptography.
For each website or app, a unique passkey pair is generated. Stored in a secure device enclave and synced to the cloud, the private key never leaves the local device and can’t be stolen. Meanwhile, the public key is sent to the online service and linked to the user’s account. To log in, you’ll receive a prompt from the website or app, to unlock your phone via biometrics or passcode. By doing so, your phone will sign a specific challenge with your private key, thereby authenticating you and your device to the service.
And if you lose your phone? Your passkeys are always securely backed up into the cloud, and should sync to any new device you own.
FIDO2: The pros
Using robust public-key cryptography, FIDO2 is uber-secure and phishing-resistant. The passkey process is end-to-end encrypted, so hackers cannot intercept them. Because the private passkey will never leave the associated device, a hacker can never masquerade as you.
On top of that, it’s interoperable. Even if you’re logging in with an iPhone, a Windows laptop, and a Chrome browser, FIDO2 will use Bluetooth to seamlessly communicate between different devices, and ultimately reduce any friction in the authentication process.
By eliminating passwords altogether, there is no need to reset or remember any passwords, and nothing to steal. Moreover, a passkey isn’t sent unless the website or app is ‘real’, meaning fraudsters can’t set up fake sites and use social engineering to steal credentials. As a result, credential stuffing, password guessing and phishing also become a thing of the past.
Furthermore, FIDO2 is both operating system and platform-agnostic, so there’s no need to install extra apps, thus making it easier for mass adoption. Given that the three biggest tech giants are behind the standard, there’s a good chance it’ll be ubiquitous in the near future.
FIDO2: the cons
The benefits are clear, but FIDO2 also raises some important questions, such as, ’who owns the passkeys?’
Purely as an example: if you’re an Apple user and your passkeys are backed up to iCloud, what happens if Apple disables access to your account? Will that leave you unable to log in to specific websites and apps? That leaves a vast amount of power in the hands of these tech behemoths. Remember: whoever controls your passkeys essentially controls your identity.
As it currently stands, passkeys will tie you to the likes of Google, Microsoft, and Apple even more than you already are, begging the question: do you trust them enough when it comes to privacy and security? Indeed, for FIDO2 to be a truly open standard, every tech company must be on board, not just the three.
Other questions remain unanswered, too. For instance, how easy will it be to switch passkeys across operating systems or platforms? And what if you’re sleeping and someone uses your device to scan your face; does that give them access to your passkeys, and thus every other aspect of your life? And what happens if a hacker steals your phone? As such, your phone’s security and access becomes even more crucial – the nature of PIN codes will likely become longer, and biometrics will also become even more sensitive and discerning.
Rolling out FIDO2
Although a passwordless future is heading our way, it will take time to incorporate FIDO2 technology. To facilitate that, it needs to work out of the box, and be seamless, intuitive and transparent.
To that end, developers should not need to completely rewrite their applications and websites to make them FIDO2-capable, instead embedding a front-end module/plugin offered by identity providers like Google and Microsoft. However, antiquated systems may find it hard to incorporate FIDO2. As a result, a hybrid approach is highly likely, where legacy passwords still exist for such systems, and passkeys are slowly introduced into newer systems.
Because FIDO2 is a cultural paradigm shift as much as it is a technological change, user education is vital. Forty-plus years of passwords is a massive legacy to overcome. Companies will need to spend time and money raising awareness, so the general public can trust the new technology, any fears can be allayed around passwordless logins – all in simple layman's terms.
The future is FIDO2
Following the joint announcement by the three tech giants to support passwordless FIDO2, Apple has already stated they will make it available to the masses in September, when their new operating system is released; Google and Microsoft should also follow suit by the end of the year.
We’re on the right trajectory towards secure, and easy passkey sign-ins across devices and platforms. But a passwordless reality won’t happen overnight – it will take some time until all are onboard.