Apple, Google and Microsoft want kill passwords Instead, they propose to universally adopt the FIDO system, or “Fast identity online”, which does not use passwords but physical “keys”.
This system, instead of a long string of characters, asks the application or website you are logging into to send an authentication request to the phone. From there, the phone must be unlocked, authenticated with some type of pin or biometric, in order to continue with the login process.
There are also devices that connect via USB or by NFC, that is, by proximity (such as when we place the SUBE card on the turnstile reader), called FIDO keys. They have long been recommended by experts as a second authentication factor to enter our accounts: have a password and a FIDO key for those services that are supported, such as Windows, Google or social networks.
The NGO FIDO, with more than 250 members between companies and governments, defines authentication standards based on physical devices. This alliance said Thursday that it is working with the three companies to begin offering passwordless technology for websites and applications.
Instead of using dodgy password logins, apps and websites could identify who you are with a fingerprint reader, scanner facial or even with your phone. In this way, the major operating system vendors want to “expand support for a common passwordless login standard created by the FIDO Alliance and World Wide Web Consortium“.
Some 2FA push systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the white paper explains, “Bluetooth requires physical proximitywhich means we now have a phishing-resistant way to tap into the phone of the user during authentication“.
Many companies have been trying to do without passwords for years, but achieving it was not an easy thing. Google has a full timeline in its blog post from 2008 where it gives details.
The password problem
Passwords are a very old method of accessing services, not only online, but in history in general. The problem they have is linked to a maxim: the easier it is for the user, the less security. And the higher the security, the lower the usability.
This means that if a password is too easy to remember it will be insecure. And if another key has many characters, is long, uses upper and lower case letters and symbols, it will be very secure. But, who can remember these formulas?
The point is that passwords work fine if they are long, random, secret, and unique, but the human element of passwords is always a problem: we are not good at memorizing long, random strings of characters.
Users are often tempted to write easy passwords to remember them, but this is an invitation to be hacked.
Therein lies the practicality of fido keys, in addition to their security: while applications like Google Authenticator ask to enter a 6-digit code that we have to go look for on the cell phone, the key offers a more direct way to access.
Of course, always after having entered the password: if the FIDO key is stolen with it they will not be able to do anything since they will need a password that only we know.
For this reason, the FIDO system appears as a viable alternative to passwords and their vulnerabilities.