Unless you’ve got an absolutely stellar long-term memory you’re likely one of the millions of people around the world who rely on some type of password reminder or organizer app to be able to remember passwords from time to time. It’s natural that the ones you use regularly are fairly committed to memory, but we all have ones that don’t need to be entered very often. These are the ones where we may well be drawing a blank when it comes time to use them, and where a password reminder app comes in especially handy.
But then there’s the ongoing fact that even the most unique password isn’t going to be 100% failsafe, and being ‘hacked’ does happen to a lot of people. Add to that the fact in today’s increasingly digital world we have more and more passwords to keep track of than ever before and for some people passwords are going to be both untrusted and inconvenient. Here at 4GoodHosting, we can certainly relate as being the leading Canadian web hosting provider AND digital world enthusiasts that we are we can certainly relate to having the sheer volume of passwords adding up big time and being tough to keep track of all of them.
However, it seems that passwords actually might be becoming a thing of the past, and web security experts are venturing their opinions that there may be a more effective – and less demanding – way to ensure that accesses to certain spots aren’t available to just anyone online.
This is what we’re going to discuss in our entry for today – are character and numeric passwords soon to become obsolete, and is there something better and more user-friendly while still equally effective in the works? It seems that there is.
Who’s the ‘FIDO Alliance’
Say the word Fido and most people will immediately think of a less-expensive cell phone provider option, but when it comes to web security development the FIDO Alliance is an acronym for Fast Identity Online Alliance. They’re an authentication standards group dedicated to replacing passwords with a different, faster, and more secure method for folks who want to log into online services reliably and safely without any fuss or need to keep notes on sometimes hundreds of different entries.
What’s noteworthy in all of this is the fact that super-entity Apple has now gotten onboard with the FIDO Alliance and is adding their big-time resources to the quest to make no-password-required secure access a reality sometime in the not-too-distant future. They’re joining a group that already includes Amazon, Facebook, Google, Intel, Microsoft, RSA, Samsung, Qualcomm and VMware. Financial service firms are already in the mix too, like American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.
Rise of the Cloud a Big Factor
In an increasingly cloud-based digital world, FIDO is a key initiative to authentication and one where companies have seen the promise in it quite quickly. If there is going to be a password-less world, what is going to take their place? Good question, and the FIDO Alliance has the answer for you. Since 2012, they’ve been pushing the idea of two-factor authentication for services and apps because passwords and pass codes are always going to be insecure to at least some degree.
To highlight that fact, they rolled out this stat - 81% of all security breaches from hackers can be traced to stolen or poor passwords, and this is something that’s agreed upon by a number of different industry interest groups. (the exact number itself is courtesy of Verizon in the US, that needs to be said). Choosing to rely on username/email address and password – or not having any other choice - means you are rolling the dice as far as password re-usage from other breaches or being exposed to malware as a result of gaining secure access by this means.
WebAuthn at Its Best
Web Authentication API (better known as WebAuthn) has been taking root in this part of the digital world for some time now, and with great success. The WebAuthn specification is already supported – to different degrees – by Chrome, Firefox and Edge browsers and it’s safe to assume new ones coming in the future will be supporting it too. Those browsers also support cloud credential creation using a U2F Token, which can use Bluetooth, NFC or USB to provide two-factor authentication to online services and apps.
It was just two years ago that Apple added experimental support for the WebAuthn protocol on Safari. And at the end of 2019 they added native support for FIDO-compliant security keys. This meant that the security authentication was now able to function with much of the same wide-reaching device connectivity that made Bluetooth the smash hit it was when it arrived on the scene.
It means greater numbers of devices with features and functions can be used to provide authentication. As examples, mobile devices or laptops may use fingerprint readers or facial recognition technology to enable log-in. The key in making this work was determining and implementing a common language that could be leveraged for authentication. Fail to do so and proprietary drivers and software would be required.
FIDO, like Bluetooth, allows application developers and security leaders to enable strong authentication that can encompass a wide range of authentication methods, while making it available for devices with minimal code and no need for proprietary driver of any sort.
It has the potential to mean that digital services from banks, ecommerce sites and others can actually recognize users through their devices, and not having to rely on those users entering correct usernames and passwords.
How it Works
FIDO’s specification enables anyone using it to gain access to an app or online service with a private and public key pair. After the user has registered with an online service, the authenticator device (a server) creates a private/public key pair that is unique to that user. This private key is stored on the user’s device, while the public key is then attached to that device’s identity through whichever online service or app is being utilized.
Authentication occurs when the client server sends an electronic challenge to the user’s device. The client’s private keys will only be admissible after they are unlocked locally on the device by the user. That local unlock is made possible by a secure action such as a biometric reader (fingerprint scan or facial recognition being common and already-seen examples), entering a PIN, speaking into a microphone, or inserting a second–factor device.
FIDO and U2F
U2F is an open-authentication standard that sets internet users up to securely access web-based resources instantly with one security key instantly and no need for drivers or client software. FIDO2 is the latest generation of the U2F protocol.
As you might expect, the other mega-giant, Google, is involved as well. Last April they joined the Alliance and many of you will know that Google has already added two-factor authentication specification for Android 7 devices and up.
The industry consensus is that FIDO authentication protocol is more than sufficiently secure and allows a lot of flexibility because of wide-ranging industry support. For Mac users, there is a smart card on the way from a company called Jamf that will allow users to sign into Mac devices from the cloud using elliptic-curve cryptography pairing keys in much the same way.
All of which promises to be good news for those of you who would never be able to commit all your passwords to memory, but aren’t particularly keen about sifting through them in a password app and then copy / pasting them into the field. In fact, we should look to this trend as one that really should take off in a big way over the course of the next couple of years.
