Eliminating Passwords: One Way Forward

The average Internet user has 100 passwords, according to research by NordPass. Remembering that many passwords is impossible, so people must implement a system for keeping track of them. For years, cybersecurity professionals have tried to convince people to record their passwords in secure containers, such as KeePass, NordPass, Keeper, and DashLane. But while managing passwords helps, it doesn't eliminate password issues.

Reuse is another password problem: As many as 65% of people reuse passwords across sites, according to a 2019 Google/Harris Poll. This practice increases the risks to all accounts that use the same credentials. After breaching a website, a threat actor may sell stolen account names and passwords on an underground forum for as little as $10 USD. A buyer could then use social engineering to find other sites the victim uses, test if the same credentials were used on those sites, and exploit access for financial gain. Threat actors sometimes use credential-stuffing attacks to automatically test a long list of stolen usernames and passwords, trying to find one that's successful. The victim might not know their credentials were compromised until it's too late.

In short, passwords provide poor security. Replacing them with a different access method could eliminate the problems associated with remembering, storing, reusing, and guessing passwords. Security keys, biometrics, and FIDO (Fast Identity Online) technology are some of the increasingly popular ways to provide secure access without passwords.

The Benefits of FIDO
The open source FIDO technology leverages multifactor authentication (MFA) and public key infrastructure (PKI) encryption. It is a set of platform-agnostic security specifications for strong authentication. Unlike password databases, FIDO stores personally identifying information (PII), such as biometric authentication data, locally on the user's device to protect it. No information is sent to a website. Many vendors — including Yubico, Google, Microsoft, PayPal, and Nok Labs — are developing FIDO technology.

Because FIDO works only with legitimate websites, it can stop phishing attacks in which threat actors leverage a fraudulent email and bogus website to lure users into providing credentials. FIDO also eases organizations' concerns about data breaches, particularly compromises of sensitive customer details, health information, financial data, or intellectual property.

FIDO combines something you have (a hardware device) and something you are (biometrics) — eliminating something you have to remember (a password) — to authenticate user identity.

FIDO standardizes the use of hardware devices, such as security keys, for authentication. Security keys are physical objects that get plugged into a USB or Lightning port. A single digital security key can provide secure authentication to resources such as websites, applications, and databases. The keys can also leverage biometric authentication applications, such as Apple's Face ID or Windows Hello. For example, a user could type their username into a website login page on their computer, plug in their security key, tap a button, and then use the computer's biometric authentication technology to verify their identity.

Security keys are typically about $20, with more sophisticated versions $40 or more. Advanced models include built-in fingerprint readers. Most services allow users to register multiple security keys; having more than one key can be useful if a key is lost or damaged.

A mobile phone (iPhone, Android, or Windows) can also be assigned as a security key: After typing their username into a website login page on their computer, a user could receive a prompt on their phone and then use the phone's biometric authentication system to verify their identity. The mobile phone communicates authentication protocols over Bluetooth, so it must be within Bluetooth range of the computer. Microsoft offers FIDO-based authentication for products such as Outlook, Office, Skype, and Xbox Live.

Why FIDO Works
FIDO uses the PKI encryption that has protected credit card numbers for decades. A big advantage of this approach is that a FIDO security device doesn't work with fraudulent websites, even if they appear legitimate to users. Rather than the user verifying a website, the website must prove itself to the encrypted key.

It is almost impossible to remember strong, unique passwords for hundreds, or even just dozens, of accounts. Mechanisms to reset forgotten passwords are expensive and can be exploited by credential-stealing threat actors. FIDO-powered authentication can improve fundamentally weak security and eliminate many of the risks associated with poor password security, including reducing the number of successful phishing attacks and decreasing exfiltration of sensitive data from organizations' networks.