Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
It’s hard to imagine a world without passwords.
But we moved one step closer on May 5th – World Password Day – when Apple, Google and Microsoft made a rare triple announcement. The tech giants have committed to building passwordless sign-in across all their platforms in the coming months. The move will affect billions of users across Android, iOS, Chrome, Safari, Windows and MacOS. But what, exactly, will it mean for your business and your security?
The problem with passwords
Passwords were never an ideal security solution. Users hate them: when they’re allowed to, they make short, predictable passwords and repeat them across corporate logins, personal banking, social media and shopping accounts.
But stricter password requirements aren’t the answer either. Users forget complex passwords, or store them in insecure documents, and requirements that request a mix of cases and symbols don’t always make for better passwords. Two-factor authentication (such as a passcode being sent to a mobile device for the user to input) offers greater security, but more friction for the user – and is still prone to phishing scams.
The result? Cybersecurity suffers. Insecure passwords (the most common in Australia and New Zealand remains “123456”) lead to poor security, with two-thirds of companies saying employee behaviour is putting their company at risk. With brute-force password attacks on the rise and stolen credentials at the heart of most successful attacks, it’s clear something needs to change. Whether this announcement heralds the dawn of a new, passwordless age remains to be seen – but the omens are good.
How device-held passkeys could replace passwords
So what are Apple, Google and Microsoft thinking, and what does it mean for the rest of us? The three have committed to “expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium” that enables “consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms”.
Under the plan, usernames and passwords will be replaced by unique “passkeys”, based on the FIDO (Fast IDentity Online) authentication standard. These will be stored on users phones, and automatically uploaded to the site or app once the user unlocks their phone via a PIN, pattern, fingerprint or selfie. The advantages of this approach include:
Users won’t need to remember a range of passwords for different platforms
The use of a physical device means credentials should be harder to compromise remotely
Phishing attacks will become more difficult since the victim won’t have a password or username to share
If a user loses their device, they can sync their passkey to a new one via the cloud
The ability to work across platforms is key. “Users can sign-in on a Google Chrome browser that’s running on Microsoft Windows – using a passkey on an Apple device,” said Vasu Jakkal, Microsoft Vice President. This interoperability is based on the FIDO2 standard, which is operated by the FIDO Alliance. Work on FIDO2 began in 2016, and the standard is already used by many organisations, but it’s due to become far more prominent.
Passwordless authentication should launch in the next year
Apple, Microsoft and Google expect the new sign-in to be available in the next year. According to Sampath Srinivas, Product Management Director at Google and FIDO Alliance President, “When passkey support becomes available across the industry in 2022 and 2023, we’ll finally have the internet platform for a truly passwordless future.”
There are still issues to iron out. Researchers claim to have found flaws in FIDO2’s Client-to-Authenticator Protocol (CTAP2), which binds the client (user) to the authenticator (mobile device). Because CTAP2 uses an unauthenticated Diffie-Hellman key exchange, it may still be vulnerable to man-in-the-middle attacks (in which an attacker impersonates the client), while the use of a single “pinToken” over multiple transactions could also open the process up to hackers. Adjustments such as the possible replacement of CTAP2 might slow down roll-out.
Preparing for a passwordless future
Passwordless authentication won’t make credential-based cyberattacks – or users’ log-in woes – disappear overnight. But it should make a significant attack vector much less appealing to hackers, as well as make logins less frustrating for billions of users. It has friends in high places too. Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency, describes it as “an important milestone” that would “add flexibility for service providers and a better user experience for consumers”.
The effect on your organisation will partly depend on how deeply integrated with Apple, Google and Microsoft’s platforms you are. But with the new passwordless standard likely to bring security benefits as well as an ease-of-use that users may start to expect across the board, more and more businesses are likely to make the shift.
Any move away from passwords will be far smoother if you’re prepared. Key steps include:
Auditing current authentication processes
Assessing which internal systems and apps can support FIDO2
Considering the benefits, costs and risks of changing your authentication processes
Reviewing the best unlocking methods (PIN, pattern, fingerprint or selfie)
Considering working with external partners for implementation
Beta-testing new methods on a small group of employees
Stepping up awareness training to ensure staff understand the context around passwordless authentication, and any risks specific to your sector
FIDO2 may make passwords a thing of the past
Apple, Google and Microsoft’s announcement to phase out traditional passwords may not come with a firm deadline, but it’s a major step towards a passwordless future.
The question for many organisations will not be if but when, and considering your businesses’ systems and needs will help you move swiftly when the time comes. Hackers will pivot (it’s pretty much in their job description) but the new approach should at least put a spoke in cybercriminals’ wheels – and leave them playing catch-up for a change.