You might have noticed that many of your favorite websites are now asking for an email address to authenticate you. They do this because it is inconvenient for you to remember multiple passwords but also because emails are much more reliable than passwords in terms of authentication. However, there are better alternatives that don’t rely on email. Find out here about the new password-free authentication methods currently being developed.
The whole idea of passwords is not just an inconvenience for most people but a significant security flaw. We need something more secure and more reliable than what we’ve got in the digital world.
It is unreliable, inconvenient, and hopelessly outdated: the digital identification system using passwords should have been replaced long ago. The big question, of course, is what would be a better solution – but the FID02 standard could be a promising candidate.
Using passwords was a terrible idea: and this was true right from the start of the process. This digital identification system was introduced at MIT in 1961 – and it didn’t take a year for the world’s first password database to be hacked and published on campus. The situation hasn’t improved much since then: password use had become a virtual global standard in the world of information technology, even though the system is even more vulnerable than it was when it was invented. This is not surprising: passwords are inherently unreliable, as they are essential ‘secrets’ that both ends of the communication chain need to know. This makes the generation, storage, and transmission of passwords potential targets for potential attackers. But passwords are not only a security problem; they are also a personal one: they need to be complex so that they cannot be guessed – but also simple to remember them. There is nothing to stop – beyond common sense – using a password in more than one place, so hacking one service can cause massive problems elsewhere. Problems that the password itself cannot draw attention to.
The system is not devilish, of course, and for what it was designed for – free access to a mainframe system through terminals in a tight community. However, when the system was extended to the whole Internet without modification, the inherent dangers were scaled up to a global security problem. According to IT firm Digital Shadows, there are now around 15 billion user accounts on the dark web forums, three times as many as in 2018. This staggering amount of data results from around 100,000 data leaks and hacks. Security expert Troy Hunt has compiled a searchable database of these at Haveibeenpwned.com, but of course, without the passwords. Anyone can check if they have had an email address associated with a hacked account.
For example, in November 2020, the hacker platform cit0day was hacked and the previously stolen data stored there – more than 13 billion accounts – was uploaded to the Internet in a single file. According to Marco Preuß, head of Kaspersky’s European research and analysis center, the large number alone does not mean that this latest data disaster will cause severe damage. But the numbers are a clear indication that passwords cannot be trusted. Passwords protect our entire digital lives, but they don’t offer adequate protection.
We know what the problem is, but what is the solution?
Passwords are not only a problem from a privacy perspective: the more we rely on this system, the more inconvenient and untraceable it becomes. To protect against automated attacks and avoid having your data compromised by hacking into one site, we use separate passwords for each service, and the particularly determined change them every few months without repeating them – very few people can keep track of them all without a password manager.
Unfortunately, however, these programs are not yet widespread, and those who are not so computer-savvy are most reluctant to use them. According to a poll conducted in February 2020, barely ten percent of German internet users have used a password manager. More than half of respondents wrote down their passwords on paper or kept them in their heads. Another survey conducted by Bitkom in January 2020 found that over a third of respondents used the same password for several services or websites.
Many services require complex passwords with numbers and special characters, and many business systems require monthly password changes, which, ironically, also leads to a deterioration in “password quality”. If someone has incredible difficulty remembering a long and complex password, they will use it elsewhere, confident in its security. Moreover, they have no desire to create and remember a similar password giant for every website.
Today’s real security is not these passwords, but two-step authentication – where Text messages, authenticator apps, security hardware, biometric barriers, or any other extra step is a second front of protection after successful password authentication. Many people are annoyed by Google’s ReCaptcha system (where you have to select images of taxies, traffic lights, or stairs from a gallery), which can fend off many automated attacks.
The password system seems to be irreplaceable; one might say eternal. Neither smart cards, biometric systems, blockchain identification, nor various security keys have replaced it, mainly because they all require special hardware, special knowledge, or a significant behavioral change, and they cannot reach the masses. Rolf Lindemann takes a radical view: “The whole username-password system is old and should be done away with.
Lindemann is developing systems for password-free identification for Nok Nok Labs in the US. As one of the founders of the FIDO (Fást IDentity Online) Alliance, he is trying to promote the new FIDO2 standard, which he says is more straightforward, more secure, and faster than password-based solutions.
Can the new standard be strong?
FID02 performs identification without exotic hardware, new services, or specific user behavior. The system is designed to securely identify the user without using passwords on the hardware they are already using. It is an open system adapted to users’ and services’ security needs and technical requirements. And just as importantly, it is supported by the major Internet companies. The FIDO Alliance is made up of 250 international tech companies and government organizations: the list of supporters includes Apple, Amazon, Facebook, Google and Microsoft, Chinese giant Alibaba, as well as the US and German standards organizations NIST and BSI.
Since its creation in 2013, the FIDO Association has developed three standards. The first was Universal Two-Factor Identification (U2F) for various hardware tokens and apps, launched in December 2014, and the second was the Universal Identification Framework (UAF), which used biometrics and PINs (the latter was FIDO 1.0). Three years ago, in March 2019, FID02 support was released for multiple browsers, providing a password-free approach to online logins.
We do not yet know the solution
A login using FID02 looks like this: the password is replaced by an encrypted process that connects the user to the other party (this could be a website or some online service). This link must be established manually once during registration. The user’s identity is linked to a device that remains under the user’s control with a high level of security in the future. This device can be a separate piece of hardware: a USB key, an NFC card, or a fingerprint reader – FID02 is quite open in terms of possibilities. Of course, FIDO2 could not become a mass-use solution with these, but the system is prepared for the future: security chips in smart devices, laptops, wearable computers (e.g., smartwatches) could also serve as an anchor.
This includes Apple’s Secure Enclave and Secure Element, which work in Android devices. The hardware that can be used for this purpose depends on the level of security involved. Accessing YouTube, for example, obviously has different requirements to accessing a sensitive corporate internal network or your online bank. On the FIDO Federation’s website, you can find a list of already approved devices with their security classification.
According to the logic of FID02, the phone or laptop (or desktop PC or even separate hardware) becomes both stages of two-factor identification. The first stage is that the person who physically has the device must manually initiate the login process; this rules out bots and remote access and hacking.
The second step is the digital, encrypted part: the identification is made directly on the device (for example, with a fingerprint reader or facial recognition) and does not leave it, so no data is moving between the two endpoints that can be stolen, intercepted, like typed passwords.
Identification is done in the background
In practice, this works quite conveniently: the user registers using a username and hardware of their choice (this creates an encrypted key pair: the public key remains with the web service provider, along with the hardware information used for identification, and the private key is well protected on the user’s machine.)
A user logs a website or service automatically, detects the authentication hardware, and requests a second authentication step, such as fingerprinting. If this is successful, the lightning-fast, real authentication in the background can occur: the server generates an encrypted “task” based on the public key, which can only be solved with the private key stored on the user’s hardware. If successful, the device, and with it the user, is logged into the system – even though, from their point of view, they only had to click the login button to be taken through an extra authentication step, which is still in place in many places today. Each hardware pair generates a new pair of codes for each operator; they are never repeated. Unlike a password system, no sensitive secrets travel between the user and the operator. This solution would also make phishing attacks impossible, as the “rogue” website does not have our public key and hardware information. And since our email address is not required for a FID02-style registration, the system uses even less private data.
All roads lead to the login
FID02 is safe, fast, and convenient. From the user’s point of view, these three arguments should be enough to make the switch. Of course, this system is not perfect. The obvious question is: what happens if the authentication hardware is left at home, lost, or even stolen? Unfortunately, there is no universal answer to this question, and it is likely to dictate the pace of adoption of the new standard. In any case, the switchover is technically complete for the time being, with providers rarely offering the option, even though it is already theoretically supported by a host of browsers and hardware.
According to Troy Hunt, despite all the advantages of FIDO2, it is not sure that it will replace passwords. Passwords have survived so far because the system is free and logical. Previous revolutionary solutions have usually failed on these two counts, either because they required extra investment or were incomprehensible without lengthy explanations (anyone who has tried to understand how blockchain works, or explain it to others, knows what it is about). In the long term, it’s clear that we need to replace the password system, says Hunt, but he says it will be many years before we can achieve this with some solution.
It’s also worth noting that the issue of passwords in browsers and apps is only a tiny part of the digital identity system. We are already interacting with more and more systems indirectly, and the digital future is likely to be mainly about automated interaction with automated services. Today, they still use passwords, but at such a speed and mass that the volume of human identifications is dwarfed. No wonder the FIDO Association is also taking a severe look at password security for the Internet of Things. Solving the password problems of human users is essentially only the first step in the process of experimentation that could lead to the complete automation of digital identification.
And we trust that the system will rapidly mature and become widely deployed to enhance security.