Skip to content Skip to footer

Do without passwords

Loading player A significant part of the IT security problems, as easily understood even by non-experts, concerns unauthorized access to systems. Passwords – sequences of alphanumeric or even special characters, such as “%” or “£” – are the best known and most common way to prevent the use of data and IT resources by unauthorized parties. But that is not always a sufficient way, and often one of the reasons is the “weakness” of those passwords: the fact that it is possible to identify them more or less easily.

In recent years, some of the computer science research has focused on developing alternatives to passwords and, in particular, on designing systems in which not having to enter passwords is a standard, the default choice. In fact, many find it relatively surprising that the exceptional technological progress of the last thirty years has not produced new ways of accessing services used every day by billions of people, net of the implementation of additional authentication systems and the improvement of password management tools.

Furthermore, in many cases, the efforts made to make passwords more secure have gone in the opposite direction to simplifying the everyday experience of using IT tools. Many of the advice most commonly shared by experts – changing passwords frequently, using longer sequences with special characters, activating two-factor authentication – involve procedures that complicate life for attackers but make accessing systems to be protected less practical and easy even for authorized users. This factor then ends up discouraging many people from actually following those advice, increasing the safety risks rather than reducing them.

– Read also: Why healthcare is so vulnerable to cyber attacks

On Thursday 5 May, to coincide with “World Password Day”, an initiative launched by Intel in 2013 to promote greater awareness on the topic of cyber security, Apple announced a commitment – shared with Google and Microsoft – to accelerate work to implement and make available on devices a passwordless authentication standard called FIDO.

The name derives from that of the international association of companies that has worked on the development of the standard over the last few years, FIDO (Fast Identity Online) Alliance, and which last March announced that it had made a series of substantial progress towards introduction of an authentication protocol capable of replacing passwords as the dominant form of authentication on the Internet. Authorizing access to accounts, with the system designed by FIDO, will be the unlocking mechanisms present on the devices owned by the user, in particular the smartphone: mechanisms already today based in many cases on the biometric recognition of individual characteristics such as the fingerprint or facial features.

It has been talked about for some time on various news and technology sites because the association, which has existed since 2012, has been collaborating for some time with the best known and most important technology companies in the world: chip manufacturers such as Intel and Qualcomm, institutes financials such as American Express and Bank of America, and especially large Internet companies and operating system developers such as Apple, Google and Microsoft. FIDO was founded with the explicit goal of developing and promoting authentication standards that reduce “the world's over-reliance on passwords”.

Indeed, the idea is to find a way to do without passwords completely, as summarized by Wall Street Journal reporter Katie Deighton, and to use a mechanism to unlock the device via face recognition, fingerprint or pin: which means quitting. to send important information on the Internet such as passwords, which can be intercepted by malicious people and used to carry out cyber attacks.

As explained in more detail in a document shared in March by FIDO, to access an account according to the new protocol – which in the future will eventually have to be implemented in operating systems – users will use their smartphone as an authentication device. In a certain sense this is already the case for millions of people who adopt an identity verification method every day that involves at least two steps: entering a “static” password and then an OTP (one-time password) code, that is, a “disposable” password provided by an app installed on the device, or sent by text message.

– Read also: Having eight thousand bitcoins in a landfill

The problem with this already widespread two-step method, according to FIDO, is both the inconvenience of the procedure and the persistent risk of exposure to phishing attacks (sending forged communications to appear authentic and steal data from users). A person could in fact inadvertently enter an OTP on a counterfeit site, for example, or approve an access request on their smartphone without realizing that the browser is pointing to a phishing site and not to the desired destination.

The new protocol developed by FIDO should solve this problem by using smartphones as authentication devices and integrating the use of Bluetooth technology present on the devices. Bluetooth would serve to allow communication between the smartphone owned by the user and the device on which the user is trying to authenticate, which would therefore require a necessary physical proximity between the two devices. According to FIDO, an improvement in the forms of two-factor authentication that already currently use the user's smartphone as a second factor would be: both in terms of security, because it would add resistance to phishing attacks, and in terms of convenience, because it would not require cumbersome procedures or the use of specific authentication hardware.

At the moment, in addition to existing technical difficulties related to the possible implementation of this protocol in current operating systems, the prospect of a totally password-free context is however hampered by the inertia generated by years of use of passwords by users.

Passwords are a system with many limitations and impractical, especially in everyday activities, which is why many people end up using the same password for different accounts (one of the most discouraged behaviors of cybersecurity experts). But the use of this system, however imperfect, is so familiar and rooted in user habits that any attempt to build alternative systems, Wired wrote, has faced greater difficulties than those posed by strictly technical issues.

One of the most representative moments of the type of inertia of users in the face of the prospect of changing systems in use, concluded FIDO, is the purchase of new devices. If the procedure for setting up your new smartphone is too complicated or cumbersome, or if there is no easy way to then access all your apps and accounts again, or even if you need to use passwords to restore ownership of those accounts, most users will conclude that it's a hassle to change the status quo.

– Read also: The cyber blackmail industry, explained

The protocol developed by FIDO should also simplify this step, because in theory it would not require the insertion of a password even in the case of the first authentication on the new devices to be configured, as it is generally necessary to do to recover your account when you change your smartphone. Scanning biometric data would be sufficient even on new devices, as long as the operating systems implement a credential manager of the type designed by FIDO, which in a sense would be similar to a built-in password manager.

The main function of password managers, particular computer programs, is to allow users to generate, manage and store their passwords in a centralized and encrypted way, so that they can be used when needed for both local applications and online services. Access to the program and operation are usually regulated by a single password: it is sufficient to remember that one to be able to manage all the others as well. The vulnerability of this system is that discovering the master password effectively makes all those saved in the archive usable.

For this reason, various password managers provide for the possibility of adding the verification of a user's biometric data to the authentication procedure using the master password, through the smartphone itself, which in that case acts as a locally accessible authentication device. The credentials within the system designed by FIDO should work in much the same way as password managers with biometric data scanning. But instead of storing the passwords, the system would store a series of cryptographic keys associated with the different devices, synchronized with each other: the keys would be protected by the unlocking system by means of biometric data present on each device (or, alternatively, by means of an access code to the device. ).

Last summer, at its annual California conference for developers of new products and technologies, Apple announced Passkeys, a system that adopts the FIDO standard and relies only on biometric identification by fingerprint or face recognition to account authentication. In practice, each device generates a unique pair of “keys”, one public and one private, for each service account created. The device keeps the private key, which cannot be removed, while sharing the public key with the service provider's server.

One of the main difficulties faced by FIDO over the years has been the reduced interoperability between the different authentication technologies used by different companies. As the case of Apple demonstrates, integrating the passwordless authentication system into a single operating system does not in itself pose insurmountable difficulties. Complications arise with the implementation and sharing of the same passwordless protocol between digital ecosystems of different and competing manufacturers. From this point of view, according to FIDO, the addition of the step that requires the use of Bluetooth technology to complete the authentication, albeit with a series of limitations, would offer the possibility of using a widely shared data transmission standard.

– Read also: Governments that spy on politicians, journalists and activists

“Passwords are part of the DNA of the web itself, and we're trying to supplant them,” FIDO CEO Andrew Shikiar told Wired, arguing that not using a password should be an easier choice than using it. But as promising as the prospect of a dominant form of passwordless authentication appears, Wired wrote, there are conditions that even at best would not lead to passwords disappearing overnight.

To begin with, not all people have a smartphone, which in the FIDO scheme is in practice the indispensable hardware authentication tool. Nor do they have multiple devices that can be synchronized with each other, another necessary condition in the FIDO scheme to be able to configure a new smartphone using authentication without a password. Furthermore, it would still be several years before people could access devices and versions of operating systems recent enough to support the FIDO standard. In the meantime, and who knows for how long, businesses should still maintain both password-based and password-less access schemes, and it's known just how problematic technology migrations can be. systems, remember Wired.

Although the FIDO system does not share users' biometric data with service providers, it would be difficult to counter even some people's reluctance to use that data as their only form of managing their accounts, Maxim told the Wall Street Journal. , vice president and director of research of the US market analysis firm Forrester Research, where he focuses on security.

Finally, although password-less authentication is considered a potentially effective way of solving the phishing problem, the FIDO protocol would still not be infallible from a cyber security point of view. Much will depend, Wired concludes, on how secure the implementation will be in each operating system: the new method “will simply create a different, if potentially better and more sensible set of weaknesses and vulnerabilities”.