Passwords. The bane of our existence. Hard to remember. Annoying to reset. At the risk of being compromised at all times.
Good news: change is the works, and it could completely change passwords as we know them.
The current climate is this: password managers like 1Password, LastPass, and Dashlane solve some of the problems by generating strong, unique passwords for each individual account you have. Companies like Google and Facebook make you exchange security on their platforms for power over your life online. A risky trade-off. Finally, two-factor authentication is a standard solution requiring a passcode sent by text message every time you log in to provide extra security. Even still, two-factor authentication has its weaknesses and can be defeated by motivated hackers.
Change comes in the form of FIDO, a new technology that could potentially eliminate passwords. FIDO overhauls the login process, combining phone, face and fingerprint recognition, and hardware security keys. The goal of FIDO, if successful, is to eliminate common passwords like “1234” and make them an official thing of the past.
What will a world without traditional passwords look like? Every time you log in to your bank account, email, work network login, your process will be different. What are the advantages? What are the shortcomings? Let’s break it down.
Passwords are a problem, specifically a security problem.
It’s no surprise that passwords have been problematic almost since their inception. As previously stated, they’re challenging to generate, hard to keep track of and at risk of compromise. While things like two-factor authentication have attempted to fix a bleeding wound with a bandaid, FIDO is restructuring how passwords operate altogether.
Passwords initiate our laziness; long passwords are hard to remember, difficult to type out, and tough to keep track of. That’s why many of us default to reusing existing passwords. While convenient, the security risk is high. Our laziness poses a massive problem because many hackers already have our existing passwords from prior breaches. How do they do this? Two words: credential stuffing. Essentially, hackers automate cybersecurity attacks by trying a long list of stolen passwords and usernames until they find a combination that works. Boom! They’re in. It’s sadly that easy.
How does FIDO help?
FIDO stands for “Fast Identify Online”. While attempting to address password security, FIDO standardizes the use of hardware devices (i.e., security keys) for authentication. Several notable companies are developing FIDO, including Google, PayPal, Yubico, and Microsoft, to name a few.
What exactly are security keys? Good question. Security keys are digital equivalents of house keys. Essentially, by plugging them into a USB or Lightning port, you allow a single digital security key to work securely with multiple websites and apps at one time. Security keys can be combined with features like Apple’s Face ID and Windows Hello, features known as “biometric authentication”. Also, some security keys can even be used wirelessly, expanding their use.
To make hacking all the more difficult, FIDO also allows services and sites to replace passwords altogether. This change will likely make the login world that much easier and more challenging for hackers to breach.
How does FIDO specifically protect against phishing?
Using a public key cryptography technology that’s been used to protect credit cards online for decades, FIDO has the advantage of not working on faked websites, therefore failing the trap of many hackers. Security keys can identify illegitimate sites, unlike humans.
This is How FIDO Authentication Works:
- You’ll first type a conventional password.
- Then, you’ll plug in or wirelessly connect a FIDO hardware security key.
- While still using passwords, FIDO using a password plus a security key (this is how you likely use FIDO today on platforms like Dropbox, Facebook, Google, etc.)
What does FIDO mean for the future of passwords?
If we know one thing, it’s that humans don’t take change lightly. It will likely be a long (and potentially rocky) transition. Why? We’re used to passwords. It’s how we’ve “always done it”, in a sense. We don’t like to change things that work “good enough.”
Plus, here are some potential problems with FIDO:
- People don’t like change (noted above).
- Setting up security keys is, unfortunately, harder than picking a password. Why? Different websites use different procedures to register and use security keys. It’s not the same process every time.
- They cost money.
- Employees are likely to lose or forget them (making enterprise acceptance of security keys more difficult).
Still, the world of passwords has needed reform for years. FIDO is likely to be an answer. Like any new solution, there are pitfalls and challenges, but we predict FIDO will prevail. After all, change is necessary to improve. And passwords need improvement to survive the ever-evolving world of cybersecurity.
Questions about FIDO or password security for your business? Contact PK Tech here.