Passwords suck.
They're hard to remember, hackers, exploit their weaknesses and fix often bring their own problems. Dashlane, LastPass, 1Password and other password managers generate strong and unique passwords for every account you have, but the software is complex. Services from Google, Facebook, and Apple allow you to use your passwords for their services at other sites, but you have to give them even more power over your life online. Two-factor authentication, which requires a second passcode sent by text message or retrieved from a special app each time you log in, boosts security dramatically but can still be defeated.
A big change, however, could eliminate passwords altogether. The technology, called FIDO, overhauls the log-in process, combining your phone; face and fingerprint recognition; and new gadgets called hardware security keys. If it delivers on its promise, FIDO will make cringeworthy passwords like "123456" relics of a bygone age.
"A password is something you know. A device is something you have. Biometrics is something you are," said Stephen Cox, chief security architect of SecureAuth. "We're moving to something you have and something you are."
This week, CNET is taking a look at changes that'll help free us from password problems. Such changes are a massive effort that'll affect you every time you check email, transfer money or log in to your employer's network. We'll look at approaches to authentication that dispense with passwords, and we'll examine how to use password managers more effectively. We'll also provide some updated password-picking advice because password improvements will take years to arrive.
Passwords are awful
Computer passwords have been fraught since at least the 1960s. Allan Scherr, an MIT researcher, ferreted out the passwords of other researchers so he could use their accounts to continue his "larceny of machine time" for his own project. In the 1980s, the University of California, Berkeley astrophysicist Clifford Stohl tracked a German hacker across government and military computers left insecure because administrators didn't change default passwords.
The nature of passwords prompts us to be lazy. Long, complex passwords, the ones that are the most secure, are the hardest for us to create, remember and type. So many of us default to recycling them.
That's a huge problem because hackers already have many of our passwords. The Have I Been Pwned service includes 555 million passwords exposed by data breaches. Hackers automate attacks by "credential stuffing," trying a long list of stolen usernames and passwords to find ones that work.
FIDO fixes
Fast Identity Online, better known as FIDO, addresses these problems. It standardizes the use of hardware devices, such as security keys, for authentication. Yubico, Google, Microsoft, PayPal, and Nok Nok Labs, among others, are developing FIDO.
Security keys are digital equivalents of house keys. You plug them into a USB or Lightning port, allowing a single digital security key to work securely with many websites and apps. The key can dovetail with biometric authentication like Apple's Face ID or Windows Hello. Some keys can be used wirelessly.
FIDO also lets sites and services replace passwords altogether, a change that could make your login life easier even as it makes hacking harder.
Fans are confident enough to make bold projections about its spread. "Within the next five years, every major consumer internet service will have a passwordless alternative," says Andrew Shikiar, executive director of the FIDO Alliance, an industry consortium. "The bulk of those will be using FIDO."
Because it works only with legitimate websites, FIDO stops phishing, a type of security attack in which hackers use a fraudulent email and a bogus site to con you into giving up your log-in information. FIDO also eases company worries about catastrophic data breaches, particularly of sensitive customer information like account credentials. Stolen passwords won't be enough for a hacker to use to log on, and if FIDO catches on, companies might not require passwords to start with.
Signing on with no password
Here's one way FIDO-based sign-on works without passwords. You'll visit a website login page with your laptop, type in your username, plug in your security key, tap a button and then use the laptop's biometric authentication, like Apple's Touch ID or Windows Hello.
Conveniently, you'll also be able to use your phone as a security key. Type in your username, get a prompt on your phone, unlock it, then approve yourself with its biometric authentication system. If you're using your laptop, the phone communicates over Bluetooth.
FIDO supports the protection provided by multifactor authentication, which requires you to prove your log-in credentials in at least two ways.
How FIDO authentication works
Your first encounter with FIDO likely won't look much different than two-factor authentication. You'll first type a conventional password, then plugin or wirelessly connect a FIDO hardware security key.
The process still uses passwords, but it's more secure than passwords alone or passwords bolstered by codes sent by SMS or retrieved from authenticators like Google Authenticator. This approach -- password plus security key -- is how you can use FIDO today on Google, Dropbox, Facebook, Twitter and Microsoft services like Outlook.com and eventually Windows.
"Hardware security keys are very, very secure," said Diya Jolly, chief product officer of authentication service company Okta. That's why congressional campaigns, the Canadian government's computing services division, and all Google employees use them.
Consumer services today often require you to plug in the keys only when logging in for the first time on a new PC or phone, or when you're taking a particularly sensitive action like transferring money out of your bank account or changing your password. Of course, a security key can be a hassle if you don't have it readily available when you need it.
Security keys for sale today include Yubico's Yubikeys and Google's Titan. Basic models cost $20, but you'll spend $40 and up if you want ones supporting USB-C or Lightning ports or wireless communications. Advanced models like Ensurity's ThinC, the eWBM's Goldengate G320 and Feitian's BioPass have built-in fingerprint readers, a feature Yubico is working on, too.
0 Comments