Is The Age Of Passwords Coming To An End?
What the emergence and wide adoption of FIDO Authentication Technology means for the beleaguered authentication strategy.
Passwords have been used as a means of security since the earliest computers we developed. While not a novel authentication technique, the first computer system to see the use of passwords as a means to prove the identity of a user was in 1961. Since then, passwords have undergone little evolution. Meanwhile, computers themselves have changed dramatically. To keep up, additional security measures, such as Multi-Factor Authentication (MFA), have been developed to augment passwords in order to provide security for IT systems.
Fundamentally, there are three types of authentication: Something you know, something you have, and something you are. Passwords are an example of something you know. While there are cases where users share passwords, like for Netflix accounts, the fundamental idea is that it is a personal secret; nobody else is supposed to know your password. It is something only you know.
MFA can be an example of authenticating based on something you have. For instance, when you attempted to authenticate into a system, you are then required to provide a code that is available on another device, such as an authentication app on your phone. Since you have your phone, you are able to view the code and authenticate into the system.
An example of authenticating based on something you are would be with biometric authentication, such as thumbprint or facial scans. Only you (should) have your face and/or fingerprint, so it’s a pretty reliable way to authenticate.
These three authentication types do have their weaknesses. For instance, if someone learns about your password and you don’t change it in time, they have the ability to authenticate as you into a system. If someone steals your phone or is able to intercept your MFA token while you are authenticating, as is a huge problem with using SMS as a means to implement MFA, they could also authenticate as you. Biometric scanning requires the device to be able to scan and properly identify the user, which can be a technological hurdle, however this has become more common in even consumer devices.
The most widely used form of these types is authenticating based on something you know, i.e. a password. Of course, this has its downsides.
A significant factor in the effectiveness of passwords is the user, and how capable they are of creating good passwords and remembering them. This has been a huge hurdle for users. While most sites require passwords to be at least eight characters, more secure passwords are longer, often more than 20 characters in length. They combine a mixture of upper and lower case letters, numbers, and special characters. All of that can amount to a long, confusing jumble of characters that the user has no hope in remembering for their next login.
The reason these passwords have to be so long is the advancements in technology and computing power allowing even low-grade threat actors to perform password attacks. One type of password attack that can break almost any password given enough time and computing power is a brute-force attack, where the attacker’s computer guesses every single combination of characters until it finds a match.
Another type of an attack is a dictionary attack, however that requires the user to be using a password that has been used before and that the attacker has either already broken and saved in a list themselves, or exists in a list online. This kind of attack can be defeated when users use unique passwords, which is where brute-force attacks come in.
When attackers have time on their hands and enough computing power to launch a brute-force attack with a substantial degree of speed, passwords are then only as good as their length. While complexity can be good assurance that your password remains unique, length is the only thing that can save you. This is why the best passwords are at least 20 characters in length. Even with the best computers on the consumer market, a 20-character password can take years to crack. No attacker cares about an account enough to wait years. Consider a routine password rotation, where the user changes their password to one that they haven’t used before in a 90 to 120-day cycle, and you can rest assured that most attackers will be unsuccessful in their attempts.
All of that said, this is a lot of work, and is almost completely dependent on the user to not only come up with these long and complex passwords, but to save them somewhere secure like a password manager. Only one in five Americans use password managers, which means four in five Americans are likely using substandard security practices with regard to their password security. When it comes to security at a macro level, this is a huge problem. Fortunately, we may have a solution to this issue that could solve our password troubles for good.
Enter FIDO Authentication. FIDO (Fast Identity Online) authentication moves away from relying on users to rely on something they know and instead use something they have, in this case, the user would have a private key, as this technology uses public-key cryptography. To prove they have their private keys when logging in, they will have to either know their PIN or password for their device or be the person they claim to be using biometric authentication.
To set up, users will register their device, whether it’s their cell phone, tablet, or laptop. While registering, they will create public and private key pairs for each account they use with FIDO authentication enabled, with the public key being sent to the site and the private key being saved to the device. When the user logs into sites they registered for, they will be prompted to prove possession of the private key. In practical terms, instead of logging in using a password, the user would log in using a push notification on their registered device.
In early May, 2022, Apple, Microsoft, and Google made a joint announcement that they intend to implement FIDO authentication in their services. This would also be done in a way where it could be cross-platform, meaning users can log into their Google account on Edge from their iPhone. This covers a huge swath of the consumer tech landscape and will provide a reason for other companies to roll out FIDO for themselves.
The simplicity of FIDO in implementation will make it easier for the end user. They will no longer be required to create and remember long and complex passwords and to go back routinely and rotate them with new long and complex passwords. Instead, they will simply need to maintain control of their registered devices.
Of course, theoretically, there is the possibility of attackers taking advantage of users’ private keys being stored in an insecure manner and circumventing the security FIDO provides. However, this would require gaining access to the host system itself, be it the user’s cellphone or laptop, which is a much greater challenge than attempting to steal a user’s password.
While FIDO authentication presents a great opportunity to move on from passwords as the primary means by which users authenticate, it will likely take time to roll out and get the majority of users to use for themselves. While more technically-savvy users will likely implement this for themselves early on, that same demographic is likely the same group using password managers today. If the aforementioned statistic of four out of five Americans aren’t using a password manager in 2022, then it will likely take even more time to move them on to FIDO authentication.
This migration can be expedited through a massive blitz in education content, informing users of the perks of FIDO authentication and its ease of use, while also establishing a sunset date for passwords on certain sites, in effect forcing users to register their devices to use FIDO authentication if they wish to maintain access to their accounts. All of that said, these would likely be unpopular steps and thus, we are unlikely to see them.
Instead, there will be some time before we can say we have “officially” retired passwords. In some cases, specific sites and services will continue to lag behind in implementing FIDO authentication for themselves, leaving users to continue to create and remember long and complex passwords. Even with users’ primary accounts being locked behind FIDO authentication, retiring passwords throughout 100% of the internet is highly unlikely.
It will also be a matter of time for attackers to engage with the FIDO authentication process themselves and identify new ways to exploit users and gain access to accounts. By no means is FIDO a silver bullet in security, but it certainly can be a great improvement over passwords. As exciting as new technology and strategies are, don’t throw away your passwords yet.
If you’re reading this and you’re interested in leveling up your cybersecurity game with stronger passwords in 2022, check this video out.
Be sure to check out my YouTube channel where I cover cybersecurity topics, news, and Security+ material. Also follow me on Twitter @sec_studio, where you can tell me about how you passed the Security+!
