As a vignette to illustrate the state of the digital identity world in 2022, I can’t tell you anything better than telling you that recently in San Diego (at a gathering of some of the brightest stars in the digital identity universe) that I need to change my flight . I opened my airline app and (presumably because I was logging in from a new location) had to go through an extra authentication step which consisted of telling them my favorite dog breed.
Now I’m sure that a few years ago when setting up this account I was asked to choose a few extra security questions that must have included a dog riddle, but of course I had forgotten all about that. The good news was that after a few guesses I settled on “spaniel” and went for it (don’t worry, I’ve changed it now so there’s no need to email me about this gross security breach). While I was doing this, one of my digital identity experts snapped a photo of his passport to email to someone so they could check in. It was all very 1994, except we were annoyed and confused by much smaller screens.
The state of internet security is pathetic. It’s no wonder fraud reaches such epic proportions when much of the internet still depends on passwords for security. Passwords just aren’t security, and “password security” isn’t such a thing.
This isn’t news, and this has to be the ten millionth column to point it out, because it must have been obvious about a week after the world went online and smart people have been asking for the end of the password ever since.
To cite just one example, at the beginning of the millennium, Bill Gates said that smart cards should replace passwords, and then in 2004 at the RSA Security Conference he said that the password had to be phased out because it “wasn’t up to the challenge.” to protect us. It was true in 1994, it was true in 2004 and 2014 and it will be the same in 2024!
So we can all agree that passwords are a bad idea, but we are all forced to use them. I just had to reset the password for one of my hotel apps because the password stored in my handy password manager was somehow wrong and after three attempts to log in to book a hotel room I got locked out.
(As with many other services, they can also just automatically send me straight to the “I forgot my password” page to save time when I try to log in.)
Interestingly, this prompted me to open one of my other hotel apps and use it to book a room. Strange that in this modern world my choice of hotel for a business trip was based more on the password I can remember than on loyalty points or tea and coffee making facilities.
Uppercase, lowercase, header
Passwords are well past their expiration date. Last year, according to password manager Nordpass, the top 5 passwords in the US were 123456, 123456789, 12345, qwerty, and password. It’s hardly surprising that there are so many hacks, scams, account takeovers, and all sorts of other shenanigans based on the outdated view that passwords are some kind of security solution. They are not, and we (i.e. the digital financial services industry) have known for years that they must die.
They should be replaced with true cryptography, preferably where the cryptographic keys are stored in tamper-resistant hardware rather than software. Many people already have suitable devices. Last year, more than half of teens and adults in the US had tablet and smartphone penetration, which continues to rise and will be close to 90% this year. These devices are almost prosthetic. The average smartphone user taps the device 2,617 times a day. About half of US smartphone users say they “couldn’t live without their devices,” and a third of them check their phones more than 50 times a day.
So if most people are plugged into a device most of the time that can strongly authenticate keys in tamper-resistant hardware, why are we still using passwords?
Well, we might not be in this bind for much longer. I think the recent announcement from the FIDO Alliance and Microsoft
The three internet giants have announced that they will use new cross-device FIDO credentials, sometimes referred to as “passkeys,” to start ridding the world of passwords. They’re committed to supporting passwordless sign-in that works across all desktop, mobile, and browser platforms they control. That’s a big chunk of modern technology, covering everything from laptops and desktops to smartphones, tablets, and smartwatches. The announcement covers the most commonly used operating systems (Android, iOS, Windows and macOS) and the three most commonly used web browsers (Chrome, Edge and Safari).
A master key is a credential tied to what’s called an “origin” (i.e., a website or application you’re trying to log into) and a physical device (an authenticator). Passkeys allow users to authenticate without having to enter a username, password, or additional authentication factor. These credentials conform to the FIDO and W3C Web Authentication (WebAuthn) standards. Websites and apps may require a user to create a passkey to access their account.
The authenticators are FIDO compliant devices used to, as you can imagine, authenticate the user. This includes special-purpose devices (e.g. USB sticks) as well as mobile phones and other computers that meet authentication requirements (essentially they must have secure, tamper-proof storage for cryptographic keys).
Last lost login
Apple got behind FIDO a few years ago. It calls its own implementation “Passkeys in iCloud Keychain” and boils down to the fact that going forward it will authenticate me via my iPhone whenever I log into my airline app or hotel website in the future. Similar to how Sign in with Apple works today, except that it works anywhere the FIDO standard is implemented.
Similarly, Microsoft announced some time ago that some of its customers might go passwordless, and it followed up last year by telling people to start getting rid of their passwords altogether. You can already use Windows Hello to sign in to any website that supports passkeys, but in the near future you’ll be able to use a passkey to sign in to your Microsoft account from an Apple or Google device.
Being able to sign in to Windows with an Apple Watch, Google with a Microsoft tablet, and Apple with an Android phone is certainly a game changer and a step toward ending the fragmentation of identity solutions that keep the typical password-locked user alive -Managers employs notes and mnemonics.
Two decades later, Bill Gates’ call for smart cards to replace passwords is on the verge of being answered, even though smart cards will be in cell phones, laptops and tablets rather than wallets. As MIT Technology Review recently commented, these alternatives to passwords are finally winning. It’s not before time.