Reports of the death of the password may have been greatly exaggerated in the media: from the suggestion that passwords are the ‘weakest link’ in the cybersecurity chain, to the notion that humans are so bad at using them, that it’s time the technology industry saved us from ourselves.
But is it true; are passwords doomed? Enter the FIDO2 Project – a fascinating effort to ‘Move the World Beyond Passwords’ led by the FIDO Alliance industry association and World Wide Web Consortium.
Headlines aside, FIDO2’s aims are ambitious: to replace passwords with a flexible device-based authentication standard that allows users to log in via biometrics or temporary security keys.
Unique to each website, not stored centrally and not transmitted, FIDO2 argue this standard naturally scuppers phishing, password theft and replay attacks – and introduces some privacy advantages sure to woo even ardent digital rights activists: such as the inability to track users between sites.
While still technically possible, cheating biometrics requires the kind of preparation not common to everyday opportunistic cyber-criminals.
The big players are taking note: Google plans to ‘begin’ retiring passwords for Google services accessed via biometric enabled smartphones (such as those with fingerprint scanners) and Microsoft is planning similar changes to apps in Windows 10; even talking of a ‘passwordless world‘ via Windows Hello that extends facial recognition. Apple have been publicly heading down this road for a while now – with ‘FaceID’ facial recognition introduced for recent generations of iPhone and iPad, as well as Apple Watch device-led unlocking for your Mac.
Apple’s efforts to prove that the iPhone stores only a ‘mathematical representation’ of the user’s face also suggests that they’re preparing to defend a policy of extending FaceID further at the expense of passwords, even in an increasingly privacy-conscious World.
Users may of course find the a world without passwords a little disorientating to begin with – although not forever, if the replacement technology proves more convenient.
Password keeper apps (such as the excellent 1Password) have become an interesting half-way house to a more secure password future – where the password manager retains a set of passwords behind a strong keycode, in an encrypted form. The password manager may also perform other useful functions, such as warning the user where passwords overlap, allocating different password access permissions to different people within a business or organisation, or auto-filling in common web browsers.
The adoption of password managers may reflect a coming time where users continue to ‘use’ passwords, but without engaging in the process of recalling or typing the password. It may not be passwords that are doomed, but the user’s traditional interaction with passwords.
Are passwords doomed? A few potential futures emerge: one where passwords exist but are used less directly by users, where passwords are relegated to a secondary security measure of questionable usefulness, or most radically, where passwords are replaced entirely.
For cybersecurity and IT expertise, please contact our team today.