Will FIDO Make an End to Passwords?


Anybody who spends much time online these days, which is
nearly everybody, wastes a certain amount of time and endures more or less
annoyance in entering passwords.  An industry
alliance called FIDO (for Fast IDentity Online) promises to make passwords a
thing of the past.  But before that
happens, there are both technical and social obstacles in the way.
Founded in 2013 by PayPal and other companies wishing to
make it easier for people to log in to their sites, FIDO works by collapsing all
the different password-validation operations for the sites you use into one
device-specific process.  That would be a
great improvement over the way things are now, as I will illustrate with a
personal example.
Say I want to do the following:  check my bank balance, buy a component from a
supplier in a hurry, log in to my university email,  and change a file on my class website. 
Right now I’d have to perform these steps flawlessly: (a) log
on to my bank’s website and enter two separate passwords which have nothing to
do with my other passwords, and therefore are not that easy to remember (b)
hunt up the place on my computer where I hide all the dozens of vendor
passwords I’ve accumulated over the years by remembering the name of the file I
hid it in, and typing the password into the vendor’s website (c)  type in a long sequence of letters, some of
which are capitalized, that the university recently made us switch to from an
old shorter password, and hope I get it right, which I still do only about 80%
of the time; (b) and for the class website, I have to do a two-step
verification involving not only the previously mentioned new long password, and
also either asking the computer to call my office phone (which is fine if I’m
in the office) or letting me enter a six-digit number from a dongle they sold
me, which works fine until I accidentally press its button two or three times
without using the numbers, which I do from time to time because it’s on a
keychain in my pocket, and then it loses sync with the computer, in which case
I have to phone IT support and spend ten minutes or so waiting for them to hunt
up the one guy who is authorized to re-sync dongles, and I read out three
numbers in sequence to him, with thirty-second pauses in between.  Then I can go back, log in, and change
the file on my class website.
This is not to knock the university’s IT people.  They are understandably concerned about
security, and within their limited resources they have come up with the best
password protection they can figure out. 
And admittedly, if I would just break down and buy a smartphone I
wouldn’t have to fool with the dongle. 
But the dongle is one of the technical hurdles FIDO will have
to overcome in its march to eliminate passwords.  As I understand it from the FIDO Alliance
website, once FIDO achieves universal buy-in, all password requests would be
dealt with the same way.  If you have a
smartphone that does fingerprint verification, the same fingerprint will work for
every website.  If you do dongle
verification, or smart-card verification, or voice-recognition verification,
that same method will work for everything. 
The method used will depend on the device that the user has access
to. 
For old duffers like me who spend at least as much time
using a laptop to access the Internet as I do with a phone, this prospect is
not so encouraging, because it means to take advantage of FIDO, I’d have to be
using the same device all the time.  Or
at least it seems to mean that.  But the
global trend is toward using mobile phones for just about everything, and newer
computers tend to have the hardware and software needed for fingerprint ID or
similar biometric methods, so this issue will not be so serious going forward.
The social issue I mentioned is the simple fact that for FIDO
to work, the websites all have to be able to take the FIDO “public-key
cryptography” stuff that the user’s device sets up.  And all the user-device makers have to make
FIDO available on their devices. 
Fortunately, the upsides to most parties involved way outweigh the
downsides, which is why the people in charge of the Android operating system have
recently upgraded their buy-in so that it will work with mobile browsers,
according to a recent article on the Wired website.  So progress is being made in that area.
For people and organizations unable or unwilling to do FIDO,
there will still be the old-fashioned password, which brings back to my mind
scenes out of 1930s’ movies about Prohibition, where someone desirous of booze
would appear before a door with a peephole in it and murmur, “Joe sent
me.”  Perhaps back then the
formality of a password just added to the underworld glamour of obtaining
illegal hooch.  But these days, when
accessing multiple websites in a day is as routine as walking through multiple
doors in a day, passwords have become a digital albatross around our collective
necks that we would be more than happy to get rid of.
As is always the case with advances in widely used
technology, somebody will figure out a way to hack FIDO.  The obvious weakness to me is the fact that with
FIDO, all one’s security eggs will be in one basket, so to speak.  Right now, if somebody hacked my bank
password, for example, I might wake up broke tomorrow, but at least I could
still make a secure purchase from Etsy—if I had any money.  But if FIDO becomes universal and someone
manages to hack into your FIDO verification system, they can get into
everything your current passwords give you access to, all at once. 
I’m sure the FIDO wizards have thought of this possibility
and will try to deal with it somehow.  As
long as FIDO will work better than my hardware dongle, I’m all for it, but it looks
like it will be a while before it gains the degree of acceptance that would
make a real dent in our need for remembering, typing in accurately, and dealing
with the downsides of plain old-fashioned passwords. 


Sources:  I referred to a Wired article entitled
“Android Is Helping Kill Passwords On a Billion Devices” at https://www.wired.com/story/android-passwordless-login-fido2/,
the FIDO Alliance website at https://fidoalliance.org/,
and the Wikipedia article “FIDO Alliance.”



Source link