The state of internet security is pathetic. It’s no wonder that fraud is at epic levels when vast swathes of the internet depend on passwords for security. “Password security” is no such thing. This was evident about a week after the world went online and smart people have been predicting the end of the password ever since.
As a vignette to illustrate the state of the digital identity world in 2022, I can do no better than tell you that when I was in San Diego this summer (at a gathering of some of the brightest stars in the digital identity universe) I had the need to change my flight. I opened up my airline app and (presumably because I was logging in from a new location) was required to complete an additional authentication step, which was to tell them my favourite breed of dog.
Presumably, some years ago, when setting up this account I had been asked to choose a couple of additional security questions, but of course, I had forgotten all about this. After a couple of guesses, I went for “Spaniel” and I was in (don’t worry, I’ve changed it now so there’s no need to email me about this gross security violation).
I also had to reset the password for one of my hotel apps because the password stored in my handy password manager was somehow wrong and after three attempts to log in to try and book a hotel room, I got locked out. They may as well just automatically send me straight to the “I forgot my password” page to save time when I try to log in.
Way back at the dawn of the new millennium Bill Gates was saying that smart cards should replace passwords and then in 2004 he told the RSA Security Conference that the password must go because it cannot “meet the challenge” of keeping us secure.
Upper Case, Lower Case, Head Case
Passwords are well beyond their use-by date. Last year, the top five passwords used in the USA, according to password manager Nordpass, were “123456”, “123456789”, “12345”, “qwerty” and “password”. It’s hardly surprising that there are so many hacks, frauds, account takeovers and all sorts of other shenanigans that stem from the outdated view that passwords are some sort of security solution. They are not, and we (i.e. the digital financial services sector) have known for years that they must die.
Cryptography or cryptographic keys?
They should be replaced by real cryptography, preferably where the cryptographic keys are stored in tamper-resistant hardware rather than in software. A great many people already have suitable devices. These devices are near-prosthetic. The average smartphone user will tap the device 2,617 times a day. Around half of US smartphone users say they “couldn’t live without their devices” and a third of them look at their phones more than 50 times every day.
So if most people are most of the time attached to a device capable of strong authentication of keys in tamper-resistant hardware… why are we still using passwords?
Well, we may not be in this bind for too much longer. The recent announcement from the FIDO Alliance and Microsoft, Apple and Google that they will support the expansion of the common passwordless standard created by the Alliance and the World Wide Web Consortium (W3C) is really significant and should have attracted more media attention.
The three internet giants have committed to supporting passwordless sign-in that will work across all the desktop, mobile, and browser platforms that they control. That’s a large portion of modern technology, covering everything from laptops and desktops to smartphones, tablets, and smartwatches. The announcement covers the most used operating systems (Android, iOS, Windows, and macOS) as well as the three most used web browsers (Chrome, Edge and Safari).
A passkey is a credential, tied to what is known as an “origin” (which means a website or an application that you want to log in to) and a physical device. Passkeys allow users to authenticate without having to enter a username, password, or provide any additional authentication factor. These credentials follow the FIDO and W3C Web Authentication (WebAuthn) standards. Similar to a password, websites and applications can request that a user create a passkey to access their account. Authenticators are FIDO-compliant devices that are used to, as you might imagine, authenticate the user. This includes special purpose devices (e.g. Yubikeys), as well as mobile phones and other computers which meet the authenticator requirements (they have to have secure tamper-resistant storage for cryptographic keys, essentially).
The ability to log in to Windows using an Apple Watch, to Google using a Microsoft tablet and to Apple using an Android phone is surely a game changer and a step towards ending the fragmentation of identity solutions that leaves the typical user struggling with password managers, sticky notes and mnemonics.
Two decades on from Bill Gates’ call for smart cards to replace passwords is about to be answered, although the smart cards will be inside mobile phones and laptops and tablets rather than sitting in wallets. As the MIT Technology Review commented recently, these alternatives to passwords are finally winning. It’s not before time.
Read more from David Birch at dgwbirch.com