With the increase in cyber-attacks using phishing techniques, it forces us to use increasingly complex passwords and protect them with a two-factor verification, which requires the introduction of a temporary key sent to the cell phone or generated by it, to prevent private or banking data from falling into the hands of others.
However, in practice it doesn’t quite work, as password-only authentication is one of the biggest security issues on the web, and managing so many passwords for consumers is no easy task, which has led most people to take shortcuts like reusing them between accounts, creating security issues at all times.
The danger is obvious, if a cybercriminal manages to seize a password of a site, and this is repeated, he will be able to access the rest of the profiles, multiplying the damage. But this is just the beginning, since the human being tends to optimize his resources and wants to manage them faster, most of us trust things that we can remember, such as date of birth or the name of our pets, although these options make it easier for us to remember them, they also make it much easier for a cybercriminal to discover them.
However, ten years after working on an alternative, FIDO Alliance (Fast IDentity Online), a company that, was formed in July 2012 to address the lack of interoperability between strong authentication technologies and remedy the problems users face when creating and remembering multiple usernames and passwords. It proposes to change the form of authentication with standards, towards a simpler and stronger authentication that defines a set of open, scalable and, interoperable mechanisms that will reduce the dependence on passwords. FIDO authentication is stronger, more private, and easier to use when authenticating to online services.
The FIDO no password standard is based on the biometric scanners of a device or a master PIN that is selected, to authenticate it locally without any of its data traveling over the Internet, to a web server for validation.
The user experience accessing web pages and applications will be similar to that enjoyed when unlocking the cell phone. This will be enough to look at the screen or place your finger on the cell phone to allow access to the bank’s website, for example. This passwordless scheme is supported by a second trusted device that acts as a key to the rest, an intelligent and useful way to avoid phishing scams. In this sense, two-factor verification is becoming increasingly compromised, and eliminating its use has just been at its root with the first attack vectors.
The main concept is for operating systems to implement a FIDO credential manager, which is somewhat similar to a built-in password manager. Instead of storing passwords, this mechanism will store cryptographic keys that can be synchronized between devices and will be protected by your device’s biometric or passcode lock.
The FIDO organization published a blank paper that presents FIDO’s vision for solving usage issues that have hampered password-free features and apparently prevented them from achieving widespread adoption. FIDO members collaborated to produce the document and encompass chipmakers such as Intel and Qualcomm, leading platform developers such as Amazon and Meta, financial institutions such as American Express and Bank of America, and the developers of major operating systems: Google, Microsoft, and Apple.
FIDO’s white paper also includes another component, a proposal that allows one of its available devices, such as your laptop, to act as a hardware token, and provide physical authentication via Bluetooth. All of this would still be virtually phishing-proof as Bluetooth is a proximity-based protocol and can be a useful tool, to develop different versions of passwordless schemes, which don’t have to retain a backup password.
Despite being a possible solution, passwords won’t disappear overnight for several reasons. Most importantly, not everyone owns a smartphone, let alone multiple devices that can back each other up, if one gets lost or stolen. And it will take years before everyone around the world has access to newer devices and operating system versions that support FIDO passwordless entry. Meanwhile, tech companies will need to maintain both passwordless and password-based login schemes.
