Saying Goodbye and Good Riddance to Passwords
There are a lot of things about modern Internet security that come up short when it comes to providing real protection but easily the biggest offender is passwords. We use passwords for everything, from logging into our mail and social networks to our banks and medical records. And the not so big secret is that, for the vast majority of people, passwords provide no security at all.
Anyone who has seen a released list of actual passwords that people use knows that in most cases, passwords are trivially easy to figure out. And even those who try to come up with good passwords can get quickly frustrated when it comes to defining effective passwords for many sites, which leads to the problem of repeat password use.
The funny thing is that no one expected passwords to last this long. In the mid-90’s when ecommerce and secure web use first arrived, they were mainly a stop gap measure. Most people were sure something better would replace it fairly soon. And here we are, twenty years later, still relying on passwords that aren’t secure, sending them over connections that can sometimes be compromised, and storing them (along with sensitive personal information and credit card numbers) on tough to secure servers that become high value targets for bad guys.
However, there may finally be light at the end of the tunnel. A new specification for strong, password-free authentication was just released, and it could lead to passwords being buried just like that useless old shoe that your dog put in a deep hole in the backyard.
FIDO 1.0, from the FIDO Alliance (which is made up of over 150 companies from across the business spectrum) is designed to use either secure password free authentication, or strong multifactor authentication, to boost overall internet security, make it harder for the bad guys to steal data, and make it much easier for end-users to securely access services without needing to remember 100 passwords.
I recently had the opportunity to speak with Phillip Dunkelberger, who is well known in security circles as co-founder of PGP Corp. and who is currently the CEO and President of Nok Nok Labs and a FIDO Alliance member, about FIDO and what impact it will have on secure authentication.
When asked how FIDO could lead to an end for passwords, Dunkelberger said, “FIDO is designed to make common things you use, like a camera, a voice print, being able to speak into a microphone, or something as exotic as fingerprint sensors, and then using those for multifactor authentication, a much stronger way of authenticating.”
While biometrics are making some inroads, especially with Apple iPhones and in their current implementation of Apple Pay, FIDO does not rely solely on biometrics to provide secure authentication. Dunkelberger said, “The fundamental idea behind it is that there’s a range of things that you want to use. Biometrics is just one. There are other types of exotic biometrics, like your heartbeat. Those are all really exciting but FIDO encompasses much more than that. Simple things like something you plugin, think of a USB key. “
Two-factor authentication is typically described as something you have and something you know. So something you know can be a password, PIN or secure phrase. And something you have can be a fingerprint, a secure token or even a smartphone. According to Dunkelberger, the “something you know” need not be a complicated password, it can be something as simple as a short pin. “My personal favorite is secure PIN. The way FIDO works is that it makes secure PIN, or simple PIN, as viable as a long complicated password.”
The other key benefit for FIDO is that it makes what businesses store much more secure and far less enticing to the bad guys as a potential target. Because it uses standard public/private key encryption, anything stored on servers is useless without the individual’s private key and secure authentication device. “Really the way FIDO works, you’re not doing anything where your storing something, like a password, in a big database in the cloud. All of your credentials stay local and it uses the concept of public/private key exchange. Something we know is very secure and very well documented. The only thing anyone can ever get access to is the public key, which is useless without your device and the private key.”
Interestingly, while the overall concept of FIDO seems radical, there is nothing here that is really groundbreaking. All of the concepts and technologies are mature and have been well-known for a while. Hopefully the time is finally right to put in place a more secure method of authentication, and say a long overdue goodbye to passwords.