FIDO, the new standard that will “kill” passwords (and that Apple, Google and Microsoft like)

from Michela Rovelli

The three tech giants renew their support and commitment for the alliance that tries to imagine a new standard capable of overcoming passwords, which are increasingly numerous and increasingly risky

At least eight characters, one special, numbers and capital letters. Creating a good password – and you need a new one for each account – is almost a puzzle. The rules multiply. Mostly, we have too many passwords: calculates NordPass – one of the most used software that helps us manage them – that each of us uses an average of one hundred passwords. And the number, in an increasingly digital world, continues to grow. Then there is the problem of safety: according to Avast, an antivirus company, more than 90 percent of those in circulation are vulnerable to attack. It is inevitable that someone wonders if there is a way to be able to do without it. Starting with who invented the password. The 60s began when the computer scientist Fernando José Corbató of MIT in Boston created the first computer system with a password for accessing files. Years later, now 87, he admitted that his idea of ​​him had become “kind of a nightmare“. A nightmare that, according to Bill Gates, will soon see the end. In 2004 the Microsoft founder predicts that the extinction of passwords is near. The reason? “They don’t meet the challenge of keeping critical information safe.”

The alliance

And Bill Gates isn’t alone in thinking that passwords have and must be numbered. There is an alliance, FIDO, which has been working since 2012 to change the “nature of authentication”. Among the members we find the biggest tech giants who, together, try to organize the happy funeral of passwords. And in particular they are Apple, Google and Microsoft to bet in an important way on this new standard which should ensure greater online security, freeing us from the “bondage” of passwords. Security, yes, because the authentication system most used today does not allow us to really protect our accounts. Calculate the World Economic Forum that 80 percent of corporate data breaches are due to weak passwords. On the management and control of which each company spends an average of one million dollars a year.

How the FIDO system works

Here then is that the FIDO Alliance is working on an alternative, in collaboration with the World Wide Web Consortium. What is also called “passkeyit works like this: when you register for an online service, the device – the smartphone, so to speak – creates a new pair of keys. That private is stored on the device itself, while that public it is registered by the app or website. When the user wants to enter it later, iThe device must “prove” that it has its private key to the service. The private key is unlocked by inserting a Pin, facial recognition or any other tool we use to unlock our phone, PC or tablet. A bit like a password manager, where there is only one password (in this case the authentication on the smartphone) to remember.

The collaboration between Apple, Google and Microsoft

The goal is to make this protocol a reality “in the next years“. Not easy, but the conditions are there. Mostly, there is the collaboration of the three main operating system vendors: Apple (iOS and OS), Google (Android) and Microsoft (Windows). For it to be effective, the standard must indeed be cross-platform and compatible with any device we have in hand. Until now, however, the scheme involved asking users to access every website or app with each device before being able to use the password-less feature (the device, after all, keeps the private key). The novelty announced on the occasion of the Password Day it’s all here: allow users to use the “passkey” even on new smartphones or PCs, without having to authenticate again, regardless of the operating system or browser they are using. It is explained on the White Paper: “If the user has set up a certain number of FIDO credentials for different trusted parties on their phone, and then has a new phone, that user should be able to expect all of their FIDO credentials to be available on the new phone. This means that users no longer need passwords: When they move from one device to another, their FIDO credentials are already there, ready to be used for phishing-proof authentication ». And this, it is stressed, is not a change in the standard, but only a need for collaboration between suppliers.

Biometrics and two-factor authentication

To overcome the problem of the multitude and weakness of passwords, to date, there are two ways. The first is two-factor authentication. Definitely more secure, it is a system that involves entering a password and then retesting it with another information created ad hoc, a OTP (One Time passwordwhich is sent to us via email or text message and whose validity lasts a few minutes) or one notification on a previously authenticated device. A possible alternative, already quite widespread in some of its declinations, is the biometric, that technology that transforms a unique feature of the body into an authentication system. We already use it for lock smartphones, with fingerprint or face recognition. And there are other systems. As the Vocal recognition, which identifies the sound waves of our voice, accent, tone. Or the iris recognitionthrough an infrared light, and the behavioral biometric, which studies the user’s behavioral patterns. To date, biometrics still do not allow to completely eliminate the use of a backup code – if the authentication fails – but there are those who bet that this will be the way out of the slavery of passwords. On the other hand, it is our own body, in this case, that provides us with the material to secure the accounts. And this is a strength but also a weakness: if our traits are cloned, how can we “change the password” since the password is part of us? There is no shortage of doubts about privacy: in addition to the problems relating to the theft of the biometric component – which basically amounts to a theft of a part of our identity – there is that of data storage. We must make sure that this information is stored on secure servers and is not used for secondary purposes such as surveillance. And if in some cases, like that of the big tech giants, we can be pretty sure that our data is kept safe, we definitely can’t count on biometrics for every online authentication. But biometrics should be a great ally for that password-free system that the FIDO Alliance is creating.

May 7, 2022 (change May 7, 2022 | 11:47)

We wish to give thanks to the author of this write-up for this outstanding web content

FIDO, the new standard that will “kill” passwords (and that Apple, Google and Microsoft like)

Check out our social media accounts as well as other pages related to them