Beyond Passwords — Discussing Next-Gen Authentication
In May 2022, in an unprecedented show of solidarity between 3 well-known tech behemoths, Google, Apple, and Microsoft announced their joint support and adoption of the FIDO standards to expand password less sign-in capabilities. Shocking as it may have seemed, the move came as no surprise to any who had been paying attention to developments in the world of cyber security. The reality is that passwords have become a massive liability — primarily because most people’s passwords suck — and the internet would be much safer if we all just ditched them.
How to know who’s who and what they should have access to
The dawn of the dynamic web pushed the issue of identity to the forefront of web matters. A World Wide Web that served users content based on who they are needed a way of verifying each user’s identity. In a nutshell, authentication aims to determine who you are, and authorisation determines whether or not you should have access to some resource. The discussion here will focus mainly on the former. Authentication is dependent on three things: something that you know (a password or PIN), something that you have (a bank card or mobile device), or who you are (biometrics). While the first two are relatively easy to exploit, biometric authentication is much harder, with systems like Apple’s FaceID promising a “less than 1-in-a-million” chance of someone gaining access to your protected device. On the other hand, industries like the banking sector have been pairing two of these techniques for years, offering far greater security than any one technique alone. Many online platforms have advocated for multi-factor authentication which does offer greater security, even though hackers have taken to exploits like the so-called ‘SIM swap’ technique to intercept users’ verification codes. It seems, then, that biometrics may be the only way to make the web more secure. But, while this is easy for OEMs to implement on their devices, a lack of standardisation made it very difficult to extend these systems to work with online platforms.
What is wrong with passwords?
For many years, passwords served us well, offering a quick and easy way to authenticate ourselves online. But, as web services grew in scope to offer more functionality, so, too, did the need for better security increase. Forgetting your password meant losing access to your email or IM account, which was, at worst, a minor inconvenience. Today, the average person has about 100 online accounts, many of which are high-security services like banking and e-commerce platforms. Ideally, each of these should be protected by a unique, complex password accompanied by multi-factor authentication (MFA). In reality, most people reuse their
qwerty123 across multiple platforms, putting themselves and others around them at risk of exploitation.
The solution, to be clear, is not stronger passwords. Passwords, whether weak or complex, don’t only offer poor security, but they are also annoying, especially when forgotten, and hard to keep track of. The increasing number of online services we all use has undoubtedly exposed us to the nightmare of password management. Picking a password forces us to find a balance between having many unique, easy-to-remember passwords or reuse a few complex passwords across numerous platforms. Either one of these options is, to put it crudely, a black hat’s wet dream. Password managers help to alleviate the pain of keeping track of dozens of passwords, yet, because they are still password-protected, we remain one stolen password away from being owned completely. Beyond that, since many people still repeat their passwords across multiple platforms, having one of these passwords stolen can have a cascading effect on the rest of their accounts.
Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.
Most people would be surprised by how easy it is to crack a password. According to a Hive Systems analysis, the most widely recommended password complexity (8 characters including at least 1 number, a lower and upper case letter, and a special character) can be cracked in under 40 minutes. Furthermore, because your passwords reside on a server, they are accessible to any skilled hacker. Admittedly, they are stored as hashes not plain text, but hackers have ways of dealing with that, like making a list of common passwords, hashing them all, and then comparing them to the hashes of passwords stolen from a server. This is what a skilled hacker might do, but there are easier ways of obtaining passwords.
Social engineering is a manipulation technique used to obtain private information or access to restricted resources. This technique takes advantage of arguably the weakest link in the cyber security chain — humans. It can be as easy as gathering enough information about a person to guess their password or establishing a relationship with the victim, building trust, and subsequently exploiting that trust. Phishing is another technique that involves masquerading as a trusted entity and having users voluntarily hand over their credentials. In most cases, hackers will either sell these credentials on platforms like the now-defunct weleakinfo.com or use them to entrap more people, particularly those closest to the victim.
It’s About More Than Just Trust
Cyber security may be one of the few areas where Big Tech’s and users’ interests perfectly align. The increased ubiquity of technology has spurred on the expansion of the ‘tech’ domain, from just entertainment and communication to more critical aspects of our lives. Whether it’s online banking and mobile payments, online shopping, or smart home systems that can be controlled from your phone, users can benefit from the increased convenience of having almost everything accessible through their internet-connected devices. But, with this comes an increased risk of exploitation — all it takes is for someone to gain access to your device for them to own your entire life. Since Apple introduced TouchID with the iPhone 5s, biometric authentication has become almost the norm on mobile devices. Yet, there remains a chasm between offerings from different OEMs, especially with facial recognition. Regardless, the key here is that to convince their customers to embrace their new services, tech companies must show that they are safe and secure. After all, anyone will tell you that hacks and data breaches are bad for business.
The issue goes beyond trust. Data breaches are particularly costly, especially for companies. According to a study by IBM, the average cost of a data breach on a company can be as high as USD4.35 million. Such costs can impact investor confidence and cripple even the most successful companies. Furthermore, the negative publicity that follows can change public perceptions of the company, which can be especially harmful to companies whose business models rely on customers’ trust. According to The Manifest 2019 Consumer Social Media Survey, 65% of surveyed social media users knew of the Cambridge Analytica scandal, 44% of whom viewed Facebook negatively. This number could be higher with the increased awareness of the amount of data collected by companies and how it can be misused. While Facebook may have weathered the storm that followed the scandal, other companies will have noted the reputational hit that the company took and how far they had to go to try and shed that negative baggage.
The FIDO Alliance
With their interests so perfectly aligned, it only makes sense that the biggest tech companies are taking steps towards finally doing away with passwords. This is where the FIDO Alliance comes in. Fast ID Online (FIDO) is a set of technology-agnostic security specifications for strong authentication. The FIDO Alliance is a non-profit that seeks to standardise these protocols. This will allow users to securely register with or log in to an online service via a secure, convenient and privacy-conscious multi-step process. The user will register with an online platform by generating a key pair with their device. The private key is stored on the device and the public key is registered with the online service, thereby creating an association between the user, the service, and the device. The locally stored private key is used for subsequent authentication, being accessible only once the user has performed on-device authentication via biometrics, a PIN, or some second-factor device. The protocols also protect user privacy by withholding from the service any information that can be used to track them across services. This means that the user’s biometrics or PIN never leave the device.
The FIDO Alliance has published three specifications that outline how this next-generation authentication technology would work. The FIDO Universal Second Factor (U2F) specification might be the most familiar one. It combines the use of existing password infrastructure with a second-factor authentication method. One advantage is that it allows for simpler passwords whilst maintaining a highly secure authentication flow. The second specification is the FIDO Universal Authentication Framework (UAF) which supports a passwordless experience. With this protocol, users can use their FIDO stack-enabled device to register with an online service using local authentication such as on-device biometrics. Finally, the FIDO2 specification combines the W3C Web Authentication specification and the FIDO Alliance’s Client-to-Authenticator flows. This allows users to utilise bound (on-device) or external authenticators (such as a wearable or hardware security key) to authenticate with online services.
The FIDO protocols’ success is heavily dependent on mass user adoption which, in turn, depends on developers and manufacturers supporting the specifications. The joint announcement from Apple, Google, and Microsoft was significant because, at least on this matter, these companies are willing to move away from closed-source, proprietary systems that place an unnecessary burden on developers to build platform-specific implementations. Using a universal standard will also ensure that all involved parties combine their vast wealth of knowledge and expertise to continue to improve the specifications, thus building a safer and more secure web for us all.
Today, we find ourselves in a position where, for convenience, we must entrust increasingly critical aspects of our lives to online services. As we have established before, for all the work that has gone into securing the web, the weakest link in the chain remains the users that are almost a risk unto themselves. Thus, the responsibility falls on the shoulders of the companies that would have us use their services to embrace secure systems that account for human fallibility. We can also play our part by embracing these developments, especially with regards to multi-factor authentication. Passwordless authentication may still be a long way from becoming the norm but, with the FIDO Alliance working together with Big Tech, the future might come around sooner than we all expect.