Let’s hope the most recent World Password Day is the last one we need
It has become a cliché because — as is the case with most clichés — it’s true. You don’t bring a knife to a gunfight. Not if you want to have any hope of winning.
Even if that knife is cutting-edge technology, so to speak. Even if is perfectly balanced and you’ve been practicing throwing it for months. Because a guy with a gun can still take you out from 100 yards away or more — vastly out of reach of your knife.
In the online world, a password, no matter how unique, long and complex, is the equivalent of the knife against the digital assault weapons that hackers bring to the fight.
Which is why World Password Day (celebrated earlier this month), however well intended, needs to be retired. Passwords need to go the way of the rotary phone and the manual typewriter. They can be celebrated as historical icons, but they are long past obsolete.
This is not a revolutionary proposal. Smart, powerful tech gurus like former Microsoft chairman Bill Gates have been saying as much for coming on two decades. Gates forecast the demise of passwords at the 2004 RSA Conference, because “they just don’t meet the challenge for anything you really want to secure.”
That was multiple generations ago in information technology (IT). The skills, tools and aggressiveness of cyber attackers have increased by orders of magnitude since then. Which makes passwords — ineffective then — even less effective now. They offer less protection than a locked door with an arrow pointing to where the key is stuck under the doormat.
Even making them “strong” doesn’t help much. Brett McDowell, former executive director of the FIDO Alliance, has labeled the term “strong passwords” an oxymoron, no matter if the little bar changing from red to yellow to green makes you feel better when you are creating one.
If you need any confirmation of that, the annual Verizon Data Breach Investigations Report (DBIR) consistently finds that the large majority of all data breaches involve stolen passwords.
Yes, there are better options
Perhaps if there was nothing better to replace them, one could make the argument that passwords are better than nothing. But there are better things, alternative means of authentication that are more secure and just as convenient — in some cases more convenient. Simply pressing a finger or speaking into a device is quicker than tapping a password on the tiny keyboard of your smartphone.
The FIDO Alliance’s goal, since its founding in 2012, has been to replace passwords with “an open, scalable, interoperable set of mechanisms” — a standard — for secure authentication.
That falls under the umbrella of “multifactor authentication,” which has been mainstream for most of the past decade and usually requires “something you know” (username and password) plus “something you have” (smartphone or token) and/or “something you are” (a biometric like fingerprint, voice, face, iris).
But the FIDO mechanisms are designed to eliminate the “something you know” part for two reasons. First, as is constantly being demonstrated, people can be tricked into giving away something they know. Second, the username/password combination is a “shared secret” because it resides not only on the user’s device but also on a central server somewhere that, as we all know, can get hacked.
While nothing is 100% secure, compromising biometric and token authentications are much more difficult and in most cases can’t be done remotely — an attacker would have to get physical access to a device, since those “mechanisms” reside just on the device.
Yet passwords remain. They are still the primary means of authentication for just about everything people do online.
Which raises the obvious question: Why? It didn’t take long for LPs to disappear when CDs showed up, and CDs have all but vanished now that there are more convenient, and cheaper ways to “consume” music.
Why not discard a method of authentication that makes you extra-vulnerable to all the nightmares of getting hacked — identity and financial theft for starters? Especially when there are better alternatives.
Indeed, Boris Cipot, senior security engineer at Synopsys, said he thinks even the word should be forbidden because it “misleads users into thinking that a passWORD can help them to be safe. A password, depending on the complexity, can be hacked in seconds.”
Even worse, while a lengthy, complex password with a combination of letters, numbers and symbols is a bit more difficult to crack, “you many times get to a webpage where symbols are not even allowed,” he said.
Not to mention that, in spite of constant exhortations to make passwords long and complex and never use the same one for multiple accounts, most people do the opposite. Among the most common passwords is (drum roll) “password.”
Force of a bad habit
A major reason why passwords persist, said Andrew Shikiar, FIDO’s executive director, is simply habit. “People get used to a way of doing things,” he said.
But he said major change is actually within sight — FIDO will be rolling out an educational campaign at the end of this month for both individual users and service providers that is meant to “drive adoption” of passwordless authentication. It will show them how to do it or provide it, starting with an “I-mark” (I, as in identity) that will appear much like the symbols for other standards like Bluetooth or WiFi.
“It will take some time,” he said, “but we’ve seen that people can adapt to things like PINs and TouchID.
Besides habit, Shikiar said other reasons that passwords have had what his predecessor, McDowell, frequently called “a long tail” is that it has taken time to build out the infrastructure for a new authentication standard and to get the major players on board.
Now, both are in place, he said, noting that the specifications of FIDO2, which launched in 2018, are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
And the biggest names in tech — Google, Apple, Intel, Microsoft, PayPal, Facebook, Amazon, VMware, Samsung, Bank of America, Wells Fargo and dozens more, along with all the major web browsers and an increasing number of telecoms — are supporting the FIDO standard.
The key, he said, is to get away from the “shared secret” model, so that nothing confidential “lives” on a server. “Even TouchID is backed by a password,” he noted.
How does it work? With the use of cryptographic login credentials from a device that pair with a “public key” on a server. “That key is meant to be public,” Shikiar said, “so it has no value to a hacker.” To unlock a phone, log in to a website or do any other authentication, “the user activates the private key with a fingerprint or some other token.”
Unphishable
Not only does this eliminate the password, it also offers protection against phishing attacks.
“There is communication exchanged, but what’s really important is the key pair — it’s a unique URL string,” he said. “If I get a phishing email telling me to ‘click here to reset something’ and I do, I’d be prompted to activate my private key. And when I do that, it won’t match,” meaning the user won’t end up on a malicious website.
Finally, there is a privacy benefit. Because the cryptographic keys are unique for each internet site, they can’t be used to track users across sites.
So is this really going to put thousands of cyber criminals on the unemployment line, given that phishing attacks have an astounding 40% success rate and, again according to Verizon, figure in nearly a third of all data breaches and 78% of cyber espionage attacks?
That sounds like another cliché: Too good to be true.
And indeed, good doesn’t mean perfect. Malwarebytes Labs noted in a blog post that any user who loses or is tricked into giving away a private key (which could be something physical like a card reader or USB key) “is in for a multitude of problems: each service she signed in with using this combo could be compromised.”
But Shikiar cites a Google case study that he said proves FIDO2 is “unphishable.”
And while he acknowledged a “potential backdoor” that could allow the takeover of an account that uses FIDO through “a falsified account recovery process of a ‘lost’ account,” he said FIDO “has started new work around identity verification and binding that will close that backdoor.”
Relatively speaking, however, those are low risks. For average users who simply want to take advantage of the promises of modern technology — online purchases, entertainment and communication — without having their identity stolen or their bank account looted, the coming authentication landscape promises to be vastly better than having their username and password for sale along with millions of others on the Dark Web.
As Cipot puts it, “It is possible to crack your fingerprint and open your phone, but you would still use it, as the chance of this happening is small.”
As in, lower risk and more convenience, since it should take even less time to unlock your phone or log in to a site than it does now.
Which we can only hope will allow us all to say, “R.I.P., World Password Day” sooner than later.
