by Jeanne Zepp

We all struggle with passwords. Creating them. Remembering them. Updating them. Protecting them. We pride ourselves in our cleverness in devising ones that go beyond “qwerty” or “12345,” believing we can outsmart hackers. Yet, one site reports that most passwords fall into just 20 categories, and three out of four employees select the same passwords for their company and personal accounts. So much for originality.

Identity authentication relying solely on a password has long been problematic. Innovations such as early public key cryptography, password managers and multifactor authentication have added strength to the sign-in process. Yet, as late as 2021, Verizon reported that 61 percent of all breaches were attributable to leveraged credentials. So, even with these advances, passwords fall short as an easy, secure means of authentication.

On World Password Day 2022 (May 5), we learned that an end to the madness of passwords is in sight. Three global tech leaders – Apple, Google and Microsoft – pledged their platforms will offer greater support for implementing the Fast IDentity Online (FIDO) Alliance and World Wide Web Consortium standards aimed at eliminating passwords. Yes, in the not-too-distant future, passwords will be a thing of the past.

In the not-too-distant future, passwords will be a thing of the past

According to the press release, the firms’ operating systems (Android, iOS, macOS and Windows) and browsers (Chrome, Safari and Edge) already support FIDO Alliance standards that enable passwordless device sign-in (e.g., facial recognition, fingerprint match or personal identification number). However, users had to individually sign in to each site or app on every device before use of passwordless functionality was possible.

With expanded implementation of standards over the next 12 months or so, Apple, Google and Microsoft users will be able to access their FIDO passkey automatically, thereby obviating the need to enroll every account on every device. Even if you get a new phone or lose an existing one, the FIDO credential will remain available via cloud backup; there will be no need to redo the passkey match process. Within a year or more, interoperability will come into being as well. Users will be able to use the passkey on their mobile phone to sign into websites or apps running on another device nearby without regard for the platform or browser it employs.

The process, as outlined in a Google blog, follows. The FIDO credential uses public key cryptography, where the passkey pair shared between the app or website is stored on the user’s mobile phone. The mobile phone thus becomes the primary authentication device; the passkey replaces the password. Using their mobile phone, users sign into the app or website and then unlock their phone. After that, a password is not required as the public-private key match occurs automatically.

The mobile phone thus becomes the primary authentication device; the passkey replaces the password.

To initiate passwordless access to apps and websites on a computer or other device, the mobile phone must be nearby. Going to a website or app will prompt the sending of a notification to the phone. It will request that the user unlock the phone, thereby matching the public and private keys. After this initial match, app and site sign-in will occur upon unlocking the computer or other device used. The mobile phone will not be necessary. Of course, passwordless sign-in emphasizes the need for strong passwords ― or biometrics ― on every device so programmed.

Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), lauded the companies’ actions saying, “The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online…. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords.”

Technology, coupled with industrywide standards, will soon eliminate easily guessed passwords. It will make phishing attempts outdated and prevent cyber criminals from selling stolen passwords on the Dark Web. With the passkey only visible to online accounts when the mobile phone is unlocked, everyone will experience greater freedom and security online. Of course, we can never underestimate the creativity and resourcefulness of cyber criminals. Still, passwordless identity verification will be a major step forward.

Electrosoft is facilitating the move toward stronger forms of identity authentication through our work supporting the National Institute of Standards and Technology (NIST) in its efforts to develop strong authentication standards and guidelines for federal agencies. We also are supporting multiple federal agencies in implementing smartcard-based, strong, two-factor authentication for access to agency facilities and electronic resources. Check out our many client stories. Contact us at info@electrosoft-inc.com to find out how we can help your organization implement FIDO or other strong authentication techniques.