Key made out of binary code inserted in digital lock showing password authentication

FIDO Passwordless Authentication Coming for Apple, Google, Microsoft Services

Three of tech’s biggest names have come together to formally support the Fast ID Online (FIDO) protocol, which allows for passwordless authentication via a biometric scan or a device PIN.

Each of the companies already supports FIDO to some degree, but the renewed commitment promises the addition of automatic access to FIDO keys without having to re-enroll each new account and the ability to use mobile devices for sign-ins on all sorts of other types of devices and operating systems.

Big Tech focuses on passwordless authentication as cloud usage increases, password fatigue sets in

A joint press release from the three tech giants on World Password Day (May 5) announced the increased commitment to support the FIDO Alliance and World Wide Web Consortium standard. The companies cited “password fatigue” and the common re-use of passwords as one reason for its adoption of the standard; recent studies have found that the average person now has 70 to 100 accounts that should ideally all have unique passwords, but that password re-use remains very common in spite of years of warnings from the cybersecurity community.

The statement notes that multifactor authentication is one workable remedy to this situation, but that there is room for a more convenient and secure solution. While the tech companies seem to be in full support of passwordless authentication, the tech community remains divided on whether it is really “ready for primetime.”

The tech giants appear to be all in on FIDO passwordless authentication, at least, touting its ability to use unique device PINs as a means of logging into websites and apps. The most straightforward example would be the end user’s authentication for getting into their phone, such as a fingerprint or face scan, also functioning as their credentials to log into various accounts and websites.

The companies are building the passwordless authentication systems into their products and platforms, presumably as an extension of the existing “single sign-in” systems already offered as a form of login authentication throughout numerous third party websites. One of the sticking points for FIDO passwordless authentication is that end users must enroll individually with each site or service despite using the same authentication PIN for each, something that this sort of centralized system would render more convenient.

The other new proposal is to allow these systems to remotely authenticate logins on other devices from the user’s approved personal device. For example, once logged into their phone the end user could then use it to log into sites on a computer that they are physically near.

The companies are aiming to roll out these new passwordless authentication capabilities over the remainder of 2022. The proposal also received a statement of support from Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), as the US federal government directs its agencies to improve and modernize cybersecurity practices.

Big Tech all-in on passwordless authentication, but is it ready for real world deployment?

Passwordless authentication has been in the works for years now, but has failed to catch on for a number of reasons. One of the main issues has been a failure to make the system user-friendly. FIDO passwordless authentication promises to raise the success rate of logins to close to 100%, but current systems have struggled with failure rates up to 15%.

Another obvious question springs to mind: what happens if you lose or break your passwordless authentication device? While a biometric or PIN lock on a phone might keep a thief out of it, it would not help the end user now locked out of all their accounts with no apparent recovery method. And if the phone is stolen, a thief using an exploit to get around the screen lock could end up with easy access to all the victim’s logins. The only answer that the FIDO Alliance seems to have at present is to “register multiple devices” as backups in the event one is compromised. The fallback answer to all of this is backup codes, but then essentially you’re back to a password (just with extra steps).

Craig Lurey, CTO and Co-founder at Keeper Security, expanded on this issue: “There are still many security and user experience issues which have to be addressed for widespread passwordless technology to work for users. In a digital world, it is unacceptable to have a situation where a lost, stolen or damaged device results in a catastrophic loss of a person’s accounts and private data … We’ve found that consumers’ and business’ reliance on passwords is actually growing, and it’s happening faster, due to the move to remote work and cloud services. Additionally, FIDO does not address the need to encrypt the user data in a zero-knowledge and zero-trust environment. The slow adoption of multi-factor authentication (MFA) by businesses and consumers – despite MFA being a practical and highly effective way to protect end users from breaches due to credential theft – is a good indicator of the possible adoption timeframe for passwordless tech. First, vendors have to build the technology into their websites and applications, and then, end users have to be educated about the technology and come to trust and adopt it. Note that this includes users becoming accustomed to relying on their mobile devices. Between both organizational and consumer adoption, it may take many years until passwordless tech is widespread. Bottom line: We’ll still be using passwords for at least another decade. Single-factor, passwordless login has too many functional, logistical and security issues to become the norm overnight.”

While passwordless authentication schemes like FIDO may have their issues, most of the cybersecurity world also agrees that simply rattling on with the current system of password-based logins is not going to be a workable arrangement in today’s cyber threat landscape. Studies attribute some 80% of data breaches to a password compromise, usually either due to someone being phished, a weak password being guessed or a data breach exposing password reuse.

Roger Grimes, Data Driven Defense Evangelist for KnowBe4, takes a more positive view of passwordless authentication but acknowledges that this is far from a silver security bullet for end users: “This announcement is a good thing and will continue to support the move away from passwords to something better, although I do want to note that the first time (of many times) that I heard we would finally be getting to a passwordless society was in 1989. So, I am not holding my breath. I am very encouraged to see that FIDO, a phishing-resistant model of passwordless authentication will be used. Ninety to ninety-five percent of multifactor authentication is easily bypassed by regular phishing attacks, but FIDO is more resistant. So, I am glad to hear FIDO-based passwordless options are involved. Although any time I hear that the device the user has is going to be one of the factors, I only get so excited. The vast majority of successful cyber attacks involve the end user in such a way that the end user’s device (one of the authentication factors) is often completely compromised. The hacker or malware program is dwelling, undetected on their device, and can do anything the user does, including access MFA- and passwordless-based protected sites and services. Still, this is something to be applauded, although I always hope people pick a solution that involves two or more authentication factors. Many of the passwordless solutions, including the proposed FIDO solutions, are single-factor authentication. That is not enough and using the user’s device as one of the authentication factors is not very secure for the reasons mentioned above. The strong MFA or passwordless solutions are resistant to phishing attacks and require two solid authentication factors (such as an external device and a PIN or biometric attribute and a PIN). Single-factor passwordless solutions are only a moderate improvement over using passwords and if you are going to go to all the trouble of switching off passwords, you might as well go to something far more secure. Otherwise, why go through all the effort?”