Are Passwords Still Useful?
FIDO Says Look to Authentication Alternatives.
Stop me if you’ve heard this before:
“Your password must be:
- “At least 8 characters—the more characters, the better.
- A mixture of both uppercase and lowercase letters.
- A mixture of letters and numbers.
- Inclusion of at least one special character, e.g., ! @ # ? ]”
We’ve seen these requirements for years now, and we’ve agonized over how to satisfy them over and over. It’s led to all of us trying to remember all your different passwords for various accounts. If you don’t already have a password manager to help with all that, it’s likely made a mess of your brain trying to keep track.
(Pro Tip: if you’re not using a password manager to create and manage random, unique-per-account password values across your various work and personal accounts, you’re making a serious mistake.)
But are passwords even still viable? You might say “unfortunately,” but in March 2022, the Fast Identity Online Alliance (FIDO) published a new white paper advocating for the adoption of their new specifications. They paint a picture of a near-future where passwords are finally a relic of the past.
But that’s a promise we’ve heard before, and obviously, it’s a tall order. In this article, we’ll detail why other authentication methods have yet to overtake passwords as a similar security option. Then we’ll delve into FIDO’s new specifications and how they might finally render passwords obsolete.
Passwords may hold out for a while yet, but after reading, you’ll be more prepared if and when widespread adoption of other methods becomes reality.
Why Are Passwords Still the Default Authentication Method?
We’ve well established how annoying passwords can be, but despite their flaws—especially against modern attack techniques—they remain omnipresent if there’s something to protect.
That’s because other authentication mechanisms have faced challenges with implementation, user adoption, and their own security issues, but why is that?
There’s trouble at both ends of the spectrum—for the highly secure methods and of course, for those that are less so.
- People haven’t taken to high-security, special use schemes because historically, they’ve made use of complex, expensive hardware like:
- Smart cards;
- Hardware tokens providing one-time codes; or
- Modern USB devices that contain cryptographic material used for authentication.
When that’s your alternative, collectively it’s been easier to opt for a password.
- But people also still want to be secure even if they don’t like those more complicated methods. The other problem with some of these other consumer-facing authentication mechanisms—namely, apps on mobile phones—is that they operate in a manner that still exposes the user to phishing or social engineering. Bad actors can subvert these methods using SMS messages, app-based one-time passwords (OTPs), or push notifications sent to the phone.
Consumers also typically prefer portable methods—the ones that actually have been accepted have relied on the universality of mobile phones. If you’ve ever lost your mobile phone or replaced it with a new one, you know that it’s a potentially fraught process.
You have to transfer everything over, and it’s easier to just log in rather than dealing with moving underlying cryptographic keys or other authentication methods. Those alternatives are not always intuitive and sometimes can result in the loss of credentials. This sticking point has helped passwords continue to reign as the #1 authentication choice.
How the New FIDO Specifications Seek to Change Authentication
But as we mentioned, that may not be for long.
These new FIDO specifications—along with the related W3C WebAuthn specification—allow for a range of authentication mechanisms, including some for mobile phone-based authenticators to address that portability point:
- Unlike many existing mobile phone authentication mechanisms, FIDO describes an authenticator that requires your mobile phone to make a Bluetooth connection with the endpoint rather than the user conveying an OTP or responding to a push notification.
- As detailed in this white paper and other FIDO standards, this minimizes the possibility of a phishing attack, as the holder of the phone must be in proximity to the device for the authentication to work.
- For those users willing to invest in them, FIDO also supports hardware tokens such as YubiKeys for high-security use cases.
- Other implementations that FIDO mentions include Apple’s passkeys that store the underlying cryptographic secrets in iCloud.
- This allows transfers between devices, letting you switch devices and easily recover your passkeys. You can then continue using your device for authentication in ways that don’t add extra steps for recovery.
If adoption of other authenticators has been a problem in the past, the FIDO Alliance claims that’s not the case any longer. They say that the operating systems, mobile devices, and browsers supporting their specifications—as well as WebAuthn—have reached an adoption critical mass on established, everyday platforms such as desktop operating systems, cell phones, and web browsers.
That means sites and applications can now make use of these other authentication mechanisms and no longer need to require passwords as the means of authenticating users.
What is Preventing Change in Authentication?
That said, some troubles remain:
- Despite the prevalence of mobile phones, FIDO capabilities only exist in the most current tier of operating systems and hardware, so those of you with older devices are left out of these features.
- The security of FIDO’s scheme also relies on the quality of implementation amongst browsers, operating systems, and the like.
- Just like advancing tech, attackers aren’t stagnant either. Even if more widespread adoption happens, bad actors will likely shift their focus. As they adjust to the different authenticators, attackers may instead focus on finding vulnerabilities in the implementation of these measures.
That said, the evidence supporting FIDO’s advocacy for methods other than passwords is there.
As perhaps the primary example, in the credit and debit card space, the adoption of chip cards resulted in a significant drop in card-present fraud. (Naturally, it also meant a shift to more card-not-present fraud.) However imperfect, not only does this adoption of chip cards mark an unambiguous gain for security, but it also suggests that a similar adoption of FIDO or similar authentication standards will yield similar gains.
What’s Next for Passwords?
Despite these steps, it remains to be seen whether more widespread adoption of these specifications will take place. Industries such as consumer banking, e-commerce, or social media may not yet support FIDO or WebAuthn within their applications even if their users possess the platforms to use them.
That’s what everything will hinge on—whether or not popular applications will finally become willing to adopt this approach. So while passwords may hang on a little longer, you now understand a little more about the authentication methods that could soon render them a thing of the past.
If you’re interested in learning more about current cybersecurity topics, make sure you read our content on the different aspects. It’s the Wild, Wild West out there, and these articles will help you stay apprised of the latest amidst a changing landscape:
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.