We Just Got One Step Closer to Killing the Password

Illustration for article titled We Just Got One Step Closer to Killing the Password

The FIDO Alliance, whose members include everyone from Google to Samsung, just announced new password-free standards for regular and two-step authentication. In other words, the entire tech industry now has protocol for letting you sign into accounts without a password. Get ready for everything but typing out *****.


Disparate companies have been offering password-killing solutions for years, but the lack of a common standards tended to make things more difficult than they needed to be. Now, the new FIDO specifications promise "to make authentication simpler and stronger for all." Any app or website should now be able to depend on devices like USB hardware tokens or biometric data like fingerprints in order to authenticate users. You've been able to do this with some services, like Google, for a while, but the new standards should (hopefully) blow the lid off of adoption.

It's a little unclear what this new password-free landscape will end up looking like, but FIDO's new standards will shape the terrain dramatically. There's more work to do. Apple's TouchID still needs deeper integration, for one. Bluetooth and NFC-enabled devices also aren't yet supported, however, so everything has to be plugged in. But today, we're one step closer to forgetting all of our passwords regardless. [FIDO Alliance]

Image via Shutterstock


As painful as passwords are, I don't see good things coming from replacing them with a physical object (device or anatomy (biometrics).

Having to rely on physical devices is a pain. What happens when you misplace or lose your physical security 'key'? Right, you'll tell me that the security will be in everyone's phone so there's no need to keep track of a separate device - and that will work great because everyone in the world always has a smart phone with them 24-7, and no one ever misplaces or breaks their phone and phone batteries last forever and knowing that people have a 'master' password in their phones wouldn't provide any additional incentive to steal cellphones. Sounds great.

Biometrics on the other hand don't have the downside of having to keep track of a device or object because it's linked specifically and only to some unique aspect of a person's physical identity (fingerprint/retina/whatever) so would appear at quick glance that seems both more convenient AND more secure, but stop to think about what that means. Every time you access any device or web page or app or service that requires biometric authentication, you are transmitting your unique unchangeable biometric data. That data has to be encrypted and then is sent somewhere to be authenticated (just like when you type a password in today). So, I guess if you believe that security standards will prevent anyone from being able to intercept or decrypt and re-use your biometric data then you don't worry about this. In reality if you think this you are hopelessly naive, because you SHOULD worry about, but you won't because ignorance is bliss. Today keylogger viruses/apps record what keys you press tomorrow the apps will record your biometric data before it is encrypted and sent to whoever is authenticating your identity. Today identity thieves use credit/bank card skimmers to record the data on your bank/cc, tomorrow it will be biometric skimmers that record your biometric data.

Today, if your password gets stolen you can contact the company the pw is associated with and reset it. What happens when your 'password' is biometric data that can't be changed? Once your biometric data has been stolen how to you 'reset' your biometric data(password)? How is an authentication service going to be able to tell the difference between you sending your fingerprint and a hacker sending your fingerprint?

Passwords for normal use are very secure when used correctly, and simply making ALL password authentication require 2 or 3 factor authentication would make them as safe as anyone needs them to be for normal use. For data centers and IT organizations who have access to servers and databases I can see why they might want to rely on physical keys as part of a 2 or 3 factor authentication system, but for normal people doing banking, paying bills, purchasing, physical devices that replace passwords provide a false sense of security, little more.

All the examples I've heard of where a 2-factor authentication system has been compromised were not because of the 2-factor authentication, but because someone figured out a way to exploit a company's loose 'password reset' funtions. Can anyone point out an example of where a 2-factor authentication system with proper complex passwords and a secure password-reset function was compromised?