How would a passwordless world work?
FIDO Alliance is an open industry alliance that went public in 2013. The idea was to reduce the world’s over-reliance on passwords. It’s been almost 10 years since the FIDO Alliance worked on a passwordless world, but it’s closer to reality. Andrew Shikiar, executive director of the FIDO Alliance, explains how a passwordless world would work.
It all starts with FIDO credentials — or cryptographic keys — that are stored on laptops, phones and other devices and can be used for secure authentication. When a FIDO credential is automatically synced from the device it was originally created on (usually a phone or computer) to another of the user’s devices, it is called a “multi-device credential”.
This new functionality builds on the previous “single-device credential” capability, which is a FIDO credential that is only available on a single device, and cannot be backed up and restored as such. “This latest advancement is significant in the progress to more ubiquitous passwordless solutions, as it enables users to transfer credentials between devices,” explains Shikar.
In layman’s terms, it is a . would be the same as using password manager Which helps the user to sign in. However, the level of security is even better than traditional two-factor authentication—all without requiring any additional steps or devices during authentication.
Like password managers do with passwords, it will be up to the OS platform to sync cryptographic keys that correspond to FIDO credentials from device to device.
Apple, Google and Microsoft – the world’s largest platform providers – have reaffirmed their commitment to support these passwordless sign-in standards. “The road to eliminating passwords may be long, but it is an important step in making it a reality in both the consumer and enterprise sectors,” believes Shikar.
Vishal Kamat, Director of IBM Security, IBM India Software Labs, believes that with all the major platforms joining hands, “it’s time for solution developers to bake security into the fabric of their solutions while driving a consistent consumer experience across the application landscape.” The opportunity is huge.”
Sampath Srinivas, PM Director, Secure Authentication, Google and President, FIDO Alliance, further elaborated in a blog post how it would work on the phone. The phone will store a FIDO credential called a passkey which is used to unlock your online account. “The passkey makes signing in more secure, as it is based on public key cryptography and is shown in your online account only when you unlock your phone,” says Srinivas.
If you’re signing in on a computer, access to the phone will be required as you will simply be prompted to unlock it for access. However, this will be a one-time thing, explains Srinivas. “Even if you lose your phone, your passkeys will be securely synced to your new phone with a cloud backup, so you can pick up your old device from there,” says Srinivas.
Shikiar of the FIDO Alliance says the passwordless world will have three fundamental benefits – it will be easier for the user to sign-in, it will be phishing-resistant and will offer a more robust system. It’s no surprise that people forget passwords—it could be to Uber that you haven’t booked for months or an old email ID you want to access. The trouble is, you won’t remember the backup email ID or phone number if they are old accounts. As long as you have the phone, the user will be able to sign in as there is nothing to forget.
For service providers, enabling FIDO capabilities will require some updates to their authentication and identification systems.
“Hundreds of technology companies and service providers around the world have collaborated within the FIDO Alliance and the W3C over the years to create passwordless sign-in standards that are already supported on billions of devices and across all modern web browsers,” Hunters say.
“Passwords are becoming increasingly obsolete and it’s really a matter of “when” and not “if” we will have a world without passwords. It’s no secret that passwords – weak or stolen – today are the number one cause of cyber attacks, and as a result, passwords have become the weakest link in the cyber security chain of security.
Sundar Balasubramaniam, Managing Director, India and SAARC, Check Point Software Technologies, believes that the passwordless landscape could be a reality as standards for passwordless environments become more established, and the need for sophisticated authentication technologies without passwords. The number grows.
“The use of distributed ledgers (ie: blockchain) to store digital identity information, multi-attribute authentication decisions using AI technologies such as risk-based authentication, and adoption of a zero trust framework for securing digital information are some of the trends. which we expect to mature in the next 2-3 years,” says Kamat.
What happens to user privacy and security in a passwordless world?
Hunter believes that without passwords cybersecurity health would improve dramatically. Passwords and second-factor authentication such as OTP and in-app push notifications are inconvenient and insecure. “They can be fished, and they Huh There is massive phishing happening today,” he added.
Balasubramaniam, on the other hand, feels that although passwordless authentication appears to be a secure and simple method, it comes with its own issues. Money and migration difficulties can be counted as some of the most pressing issues. He further explains that “Malware, man-in-the-browser, and other attacks are also possible with passwordless authentication. For example, cybercriminals may install a software patch to intercept one-time passcodes (OTPs).” They can also infect web browsers with Trojans to intercept shared data such as one-time passcodes or magic links. have also been repeated.
Kamat also sees a passwordless world as an opportunity. “This is an opportunity to modernize our authentication systems by leveraging new technologies that will improve the consumer experience while making our transactions more secure,” he explains.
While it is important to have support in everyday devices, Shikar believes that the passwordless world needs to be approached with the ubiquity of passwords and SMS OTPs. This is why he believes the commitment of Apple, Google and Microsoft is important. “Their commitment will also provide service providers with more diverse options for implementing modern, phishing-resistant authentication methods,” he says.
“This is undoubtedly a big step forward in terms of secure authentication for the common user,” says Balasubramaniam, who is not likely to use the strongest passwords, but statistically more likely to reuse them across sites and services. ”