Take a moment to consider the number of online accounts that you have. It does not matter whether they are social media accounts, news sites, blogs or enterprise accounts. The answer would be quite a lot. And that’s fairly common for anybody. Also it’s pretty safe to say that pretty much all these accounts are password protected. So any user at any given time is dealing with a lot of passwords and the complications associated with it. Such as while creating; specific character combinations, meeting minimum length restrictions, specific character properties like case sensitivity, maximum length restrictions, special characters, complexity, periodic changes(90 days etc) and many more.
Passwords are complex in maintaining and creating. But they are the best line of defence when it comes to secure data access. Since it’s easy to set up, it breeds a sense of complacency when it comes to security. Set a password once and we are done, right? But the truth is passwords need to be maintained consistently. With good and strong characteristics. Also passwords are susceptible to a wide variety of attacks. Brute Force, Phishing, Credential Stuffing etc. Survey after survey shows depressing statistics when it comes to password usage in the context of security. Consider this
According to an online survey conducted by Google
- 52% of people reuse the same password for many (but not all) accounts
- Only a minor 13% Use a different password for all accounts
- A whooping 35% reuse the same password for all their accounts
A detailed survey conducted by digital guardian showed that
- Only about 31.3% of respondents changed their passwords one to two times
- Only about one-fifth (22.4%) changed their passwords more than five times per year
- Almost half of the respondents, 49.3%, said they reuse passwords
In a survey conducted by Data prot,
- 53% of people rely on their memory to manage passwords.
- 51% of people use the same passwords for both work and personal accounts.
- 57% of people who have already been scammed in phishing attacks still haven’t
changed their passwords.
Passwords are mostly in a “data at rest” state. Data or password which is stored or in the state of rest is not as vulnerable as data in transit over the network. But data in the state of rest is usually more critical.
Passwords or passcodes are as old as computing itself. MITs Compatible Time-Sharing System built way back in 1961, featured the first passcode. Computing has evolved from clunky, giant devices to nimble mobile devices. Password unfortunately has remained the same. Also, in the modern digital age with plenty of devices the problem of maintaining and managing many accounts and passwords. So why hasn’t the world moved on from passwords?
Two Factor authentication
To a large extent, 2FA or two factor authentication makes an account safer. By having another level of security to a user’s account risks are reduced. 2FA can be enabled in conjunction with passwords with
- Something that a user knows — Password, PIN, Swipe gesture etc
- Something that a user has — Mobile device, compatible security key etc
- Something that a user is — Biometrics
2FA makes accounts secure. But 2FA is a bad experience from a user perspective. The time taken to authenticate is more with 2FA. and in certain cases, like loss, corruption of compatible devices, even more problematic. Ultimately 2FA is an “Extra” level of security on top of passwords. So the password problem is always there. It hasn’t gone away even with 2FA
The problem is quite simply, how to get rid of passwords and in its place have a system which is more secure. How to change a timeless way of login i.e using passwords. That’s exactly what FIDO or Fast Identity Online seeks to achieve. FIDO Authentication aims to replace password-only logins.
FIDO Alliance was founded by Industry leaders. PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio etc. Other Tech Giants like Google, Paypal and Samsung also lent their support to the FIDO alliance later on. Thereby increasing its credibility. At its heart, FIDO uses the robust, proven technique of PKI or public key infrastructure. A public/private key is generated at the time of registration. The public key resides in the server and the private key never leaves the user. The data which is encrypted with a public key can only be decrypted with a private key
Passwordless and Multifactor : FIDO version one
The first FIDO standards, launched back in 2014 had two major components. The Universal Authentication Framework (UAF) and the Universal 2nd Factor (U2F).
UAF is the backbone for authentication by means of multi factor security. UAF enables the app or service to present different mechanisms for logging in. Such as fingerprint scan, face scan, voice recognition, PIN etc while registering. Instead of the usual id/password flow, users follow the authentication they chose while registering.
U2F as the name suggests deals with the standards associated with USB based physical security keys such as NFC and Bluetooth. These devices serve as the secondary factor for authentication or form the basis of 2 Factor authentication. 2AF is a familiar authentication technique. Similar to that FIDO too has a secondary factor authentication standard i.e U2F
So in other words UAF + U2F offers higher levels of authentication and security as in passwords, but without the hassles of passwords
Version FIDO 2
FIDO 2 was launched in 2018 and it was the updated and upgraded version of version one. FIDO 2 introduced Web Authentication (WebAuthn) in conjunction with the World Wide Web Consortium (W3C). FIDO 2 extends the power of UAF and U2F to third party apps and services. FIDO-based authentication is made available on supported browsers and platforms. By virtue of Web Authentication component, standards and web application programming interfaces (APIs). At the time of writing this, WebAuth is supported in pretty much all the major browsers like Chrome, Firefox, Edge and Safari
FIDO alliance or specifically WebAuthn is a win-win for all as there are tangible benefits to replacing passwords. WebAuth offers a good experience plus the security offered by having a password less, PKI based infrastructure. Service providers also don’t have to worry about the complexity of maintaining, developing and updating complex secure authentication solutions.