How will a passwordless world work?
FIDO Alliance It is an open industry alliance that became public in 2013. The idea was to reduce the world’s over-reliance on passwords. It has been almost 10 years that FIDO Alliance has been operating in a world without passwords but it is now close to reality. Andrew Schickier, executive director of the FIDO Alliance, explains how a password-free world would work.
It all starts with a FIDO certificate – or cryptographic key – that is stored on laptops, phones and other devices and can be used for secure authentication. When a FIDO certificate automatically syncs with the device from which it was created (usually a phone or computer) the user’s other device, it is called a “multi-device certificate”.
This new functionality builds on the previous “Single-Device Certificate” capability which is a FIDO certificate available only on one device, and thus cannot be backed up and restored. “This latest advancement is important in moving toward a more ubiquitous passwordless solution, as it enables users to transfer certificates between devices,” explains Shikiar.
In layman’s terms, it would be a use Password Manager Which helps the user to sign in. However, the level of security is better than traditional two-factor authentication — everything without the need for additional steps or devices during authentication.
As password managers do with passwords, it will rely on the OS platform to sync cryptographic keys that are part of a FIDO certificate from device to device.
Apple, Google and Microsoft – the world’s largest platform providers – have reaffirmed their commitment to supporting these passwordless sign-in standards. “The road to password removal may be long, but it’s an important step in making it a reality for both consumers and enterprises,” Shikia believes.
Joining hands with all the leading platforms, IBM Security, director of IBM India Software Labs, Bishal Kamat believes that “there is a huge opportunity for solution developers to build a consistent consumer experience across the application landscape as well as create protection in the fabric of their solutions.”
Sampath Srinivas, PM Director, Secure Authentication, Google and President, FIDO Alliance, further elaborated in a blog post on how it will work on the phone. The phone will store a FIDO certificate called Paskey which is used to unlock your online account. “Paskey makes signing in much safer, as it is based on public key cryptography and is only shown on your online account when you unlock your phone,” notes Srinivas.
If you are signing in to a computer, you will need access to the phone because you will be asked to unlock it for access. However, it will be a one-time thing, Srinivas explained. “Even if you lose your phone, your passwords will sync securely with your new phone from Cloud Backup, allowing you to get back to where your old device was locked,” Srinivas added.
Shikiar of the FIDO alliance says that in a passwordless world there will be three basic benefits – sign-in will be easier for the user, it will be phishing-resistant and will offer a more powerful system. No wonder people forget passwords – this could be for Uber that you haven’t booked in months or an old email ID you want to access. The problem is, if they’re old accounts, you don’t remember the backup email IDs or phone numbers. As long as you have a phone, a user will be able to sign in because there is nothing to forget
For service providers, enabling FIDO capabilities will require some updates to their authentication and identification systems.
“Over the past few years, hundreds of technology companies and service providers around the world have collaborated to create a passwordless sign-in standard between the FIDO Alliance and W3C, which is already supported on billions of devices and all modern web browsers,” said Schickier.
“Passwords are rapidly becoming obsolete and it’s not really a matter of” when “and” if “, we will have a world without passwords,” Kamat said. It’s no secret that passwords – weak or stolen – are by far the number one cause of cyber attacks, and as a result, passwords have become the weakest link in the cyber security chain of defense.
Sundar Balasubramanian, Managing Director, India and SAARC, Checkpoint Software Technologies believes that as the value of password-free environments becomes more established, password-free visualization can become a reality and the number of sophisticated password-free authentication techniques is increasing.
“The use of distributed lasers (e.g., blockchain) to store digital identity information, the decision to make multi-attribute authentication using AI technologies such as risk-based authentication, and the adoption of the Zero Trust Framework to secure digital information are some of the trends we make. We hope to mature in the next 2-3 years, ”said Kamat.
What will happen to user privacy and security in a world without passwords?
Shikia believes that without passwords, the health of cyber security will improve dramatically. Password and second-factor authentication such as OTP and in-app push notifications are inconvenient and insecure. “They can be fish, and they can Is The scale is fishing today, ”he added.
On the other hand, Balasubramanian thinks that although passwordless authentication seems to be a safe and easy method, it comes with its own problems. Difficulties related to funding and relocation can be considered as the most important. He explained that “malware, man-in-the-browser and other attacks are possible even with passwordless authentication. For example, cyber criminals can install a software patch to block one-time passcode (OTP). Sharing as a one-time passcode or magic link They can also infect web browsers with Trojans to block data. ” Further, cybercriminals have proven that voice recordings and other biometric features have also been forged.
Kamat also sees a world without passwords as an opportunity. “This is an opportunity to modernize our authentication systems using new technologies that will make our transactions more secure as well as enhance the consumer experience,” he explained.
It is important to have support on everyday devices, believes Shikiar, who believes that in a world without passwords, there is a need to communicate with the ubiquity of passwords and SMS OTP. That’s why the commitment of Apple, Google and Microsoft is important, he said. “Their commitment will provide service providers with more diversified options for establishing modern, phishing-resistant authentication systems,” he added.
“This is undoubtedly a huge step towards secure authentication for the average user, who cannot use strong passwords but is statistically more likely to reuse them on sites and services,” says Balasubramanian.