This year’s World Password Day, traditionally celebrated in May, coincided with related news from three major tech firms: Google, Microsoft and Apple announced plans for a new technology to replace passwords.
The standard is being developed by the FIDO Alliance, together with the World Wide Web Consortium (W3C), which basically defines how the modern internet looks and works. This is quite a serious attempt to abandon passwords in favor of smartphone-based authentication, or at least that’s how it appears from the user perspective.
It’s worth keeping in mind, however, that the “death of passwords” has been mooted for around a decade. And previous attempts to do away with this hopelessly unreliable method of user authentication have effectively led nowhere — passwords are still with us. This article discusses the advantages of the new FIDO/W3C standard. But let’s start by restating the obvious: what’s wrong with passwords?
The trouble with passwords
The number one disadvantage of passwords is that they are fairly easy to steal. In the early days of the internet, when almost all communications between computers were unencrypted, passwords were transmitted in plain text. With the mushrooming of public network access points — in cafes, libraries, and on transportation — this became a real problem: an attacker could intercept an unencrypted password without being noticed.
But the issue of stolen passwords exploded in the early to mid-2010s after a spate of high-profile hacks on large internet services, with the wholesale theft of e-mail addresses and user passwords. It’s safe to say that all your passwords from ten years ago are floating around somewhere in the public domain. Don’t believe us? Check out the useful service HaveIBeenPwned.
These days, of course, leaks are less likely to contain cleartext passwords: many internet services have long realized that storing sensitive user information unencrypted is a recipe for disaster. So it’s becoming the norm for passwords to be hashed — that is, stored in encrypted form.
The problem here is that if the password is simple, it can still be extracted from an encrypted database by brute-forcing all possible combinations, or by a dictionary attack. Decrypting a hashed password if the original was something like “secret” or “123123” is child’s play. This is the second problem with passwords: to aid memorizing, many people use very weak passwords that are easy to extract from a leaked database — even if encrypted.
And the desire for simplicity and convenience leads directly to the third problem with passwords: using the same password for different accounts and services. Thus, a data leak from some ancient online forum, which you don’t even remember registering on, can result in the loss of your main e-mail account because you used the same password.
Password plus a bit extra
The problem, of course, is far from new, so most services no longer rely on just a single password, but use some kind of multi-factor authentication. When signing in to internet services, social networks, bank accounts, etc., you’re usually prompted for a one-time code after entering your credentials. This code is sent in a text message or delivered to the banking app on your phone or a special app for multi-factor user authentication, such as Google Authenticator. Very complex systems use a hardware key that’s inserted into a USB port on the computer, or connected to your smartphone via Bluetooth or NFC.
In some cases, you do not require a password at all. For example, when you sign in to a Microsoft account, a one-time password is sent to you by e-mail. By default, the Telegram messaging app uses authentication based on one-time codes sent in text messages, with no need for a password at all (although one is recommended as an additional security measure).
In most cases, however, passwords are still there as a backup form of authentication. But relying solely on text-based passcodes (by far the most common and user-comprehensible form of 2FA) is also not a great idea for a number of reasons. In short, it has long been understood the future does not belong to passwords. Now, at long last, it seems as if that future is around the corner.
Passwordless authentication as conceived by FIDO/W3C
To strip it down to the bare bones, the new passwordless authentication standard makes the password (or rather — passkey, which is a pair of encryption keys, private and public) a purely technical element that the user no longer sees. This allows the use of strong, unique keys and powerful cryptography. This in turn makes life harder for cyberthieves, and ensures that if one account is hacked, no more will be lost, and makes it impossible to spill the “secret” to phishers.
For the users, it’ll look like they’re confirming a login to a social network, e-mail account or online banking service from our smartphone. It’ll be like making a smartphone payment today: you unlock the device via the PIN or face/fingerprint authentication, and confirm the “transaction” — only, instead of paying, you’re signing in to your account. In doing so, a successful unlock verifies that you are you. Sounds good!
What’s more, the standard being developed by FIDO has an additional feature in the form of Bluetooth authentication on multiple devices. For example, account login on a laptop is faster if the device “sees” a trusted smartphone nearby. This exciting authentication system will work for the vast majority of users, except perhaps those who continue to use a push-button phone out of principle. With the support of three internet giants, this feature is bound to become universal in the near term. So will it be good for security? Let’s look at the pros and cons of the new technology.
Pros of passwordless authentication
Support from Google, Apple and Microsoft gives reason to believe that both major services (Gmail, YouTube, iCloud, Xbox) and all iOS, Android and Windows devices will soon start moving to passwordless authentication. Since the standard is unified and open, authentication should work identically on any device. Plus the option to switch from one device to another is promised. Swapped your iPhone for a Samsung Galaxy? Not a problem: you can designate the new smartphone as your login verification device.
The main benefit of the new method is that it seriously complicates phishing. Traditional password theft works by creating a fake banking or other website and luring the victim onto it. There, the user enters their login credentials (sometimes even 2FA is accounted for), and that’s it — the attacker has access to the bank account. Besides authenticating the user, the new standard checks the authenticity of the service itself. Simply sending a request for authentication on someone else’s web resource won’t work. Neither will password leaks pose a threat to users.
Lastly, the new system promises to be simple and intuitive. If properly implemented, the replacement of passwords even for existing accounts should be very straightforward, and the promised OS-level support in smartphones will not even require any app to be installed. Simply go to the site you want, enter your identifier and confirm the request on your smartphone. All done!
Problems that going passwordless won’t solve
Strictly speaking, this should not be considered a problem, but many people are sure to ask the question: what if someone gets their hands on my “trusted” smartphone and approves login to all my accounts? The answer is very simple: in a realistic security model, there are no unbreakable solutions. Anything can be hacked — the only question is what resources the intruder is willing to spend on it. After all, even if you store your 128-character true-random passwords exclusively in your head, there are proven ways to extract them from you.
There are bound to be attempts to hack individual smartphones to gain access to accounts. But such hacks will be individual, aimed at high-profile targets, sort of boutique-attacks. When it comes to mass market — that is, real-life everyday threats — password theft is several orders of magnitude more widespread than stealing smartphones and making use of their digital content. And the new technology is aimed at solving this precise problem.
Recall that similar doubts were voiced about the mass introduction of biometrics. Back then, many folks were similarly worried that someone would steal their fingerprint (in the most hardcore version, by cutting off their finger) and unlock their smartphone. Troy Hunt, creator of the above-mentioned HaveIBeenPwned, wrote an entire article last year on a related topic: in a realistic security model, biometrics are stronger than passwords.
But the real issue that passwordless access will not address is smartphone loss. Sure, the new standard makes it possible to transfer the authentication system from one device to another. The easiest way to do this is when you have two devices — for example, an old and a new phone. If the old phone is lost, no doubt you’ll have to use some kind of backup method to prove that you are you. But what kind of backup method this may be is not yet clear; most likely it will depend on the settings of the service in question.
In conclusion, it’s worth asking the question: won’t the new system make users more dependent on the functionality of their accounts they have with that selfsame Google or Apple? Will the blocking of a Google account lead to loss of access to all online resources in general? Even if we assume the standard is open, the smartphone operating systems, not to mention infrastructure, are less so.
A bright(ish) future
Even a skeptic would be hard-pressed to argue that passwords are better than passwordless. The outdated password concept has long been in need of an overhaul. FIDO’s password-free standard promises to set many things straight, but a lot also depends on the implementers: Google, Apple, Microsoft, et al. If they get it right, our digital lives will become that bit easier and safer. But it’s unlikely to happen overnight: passwords are so ingrained in the internet of today that it’ll take many years to erase them completely — even with a new improved system in place.