The FIDO (formerly Fast Identity Online) Alliance is out to kill the password.
It wouldn’t seem to be a tough sales job. There is little debate among security experts that passwords are a lousy, obsolete form of authentication.
The evidence is overwhelming. Most people in spite of exhortations to use long, complicated passwords, to change them at least monthly and to avoid using the same one for multiple sites, don’t.
The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords.
And even if passwords are complex, they keep getting stolen. Just in recent months, there have been a string of reports of catastrophic password breaches – 33 million from Twitter, 165 million from LinkedIn, 65 million from Tumbler, 360 million from MySpace, 127 million from Badoo and 171 million from VK.com.
Nick Bilogorskly, senior director of threat operations at Cyphort, noted in a recent blog post that there are now more than a billion accounts with credentials sold online. He compared them to hundreds of millions of keys capable of unlocking bank safe-deposit boxes, littering the ground.
“All you need is to pick them up and find a match to open any box you would like,” he wrote. “In fact, it is worse, because for most people, this same key is used to open their office, car, and house.”
And, of course, with automation, it is possible to try keys in millions of “locks” in seconds.
Things are even worse in the health care industry, according to a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that medical staff efforts to circumvent passwords was "endemic – to avoid any delay in using a device or getting access to supplies, they routinely wrote passwords on sticky notes.
According to the report – a portion of the headline is “You want my password or a dead patient?” – medical staffers are just trying to do their work in the face of often onerous and irrational computer security rules.”
The solution to such a porous “security” standard is to get rid of it, according to FIDO. But the Alliance, which describes itself as a “cross-industry consortia,” has to do more than convince experts or even web content providers. It has to convince users – the ones who are familiar and comfortable with passwords and who can display irrational amounts of resistance to change.
“Websites that are trying to get eyeballs can’t really force their users to do anything,” said Gary McGraw, CTO of Cigital. “Twitter has two-factor authentication (2FA) now, but you don’t have to use it. You just should. The most you can do is ask nicely – otherwise it’s an economic conflict of interest.
Vishal Gupta, CEO of Seclore, said while he believes the masses will adopt a different form of authentication if it is faster and easier, still thinks it can’t be forced, and will be “a long journey."
“It’s very similar to chip-and-pin cards vs. magnetic strip cards, and a lot of enterprises will have to come together to make this happen,” he said.
Indeed, even Brett McDowell, the Alliance’s executive director, agrees that, “forcing web service providers to do anything is a non-starter.”
But he said FIDO, which now has nearly 250 member organizations, isn’t trying to force anything. The group’s goal is to make it irresistible – “to deliver a solution they (providers) will be eager to implement because it is in their self-interest to do so,” he said.
An authentication system that improves the user experience, he said “will sell itself to service providers.”
The user-experience pitch, on the FIDO website, certainly makes it look easy. There are two possible methods:
- UAF (User Authentication Standard), simply requires the user to make a transaction request and then show a biometric, like a fingerprint.
- U2F (Universal Second Factor) requires a login and password on the local device, and the user then inserts a USB dongle and presses a button on it to complete the transaction.
McDowell said the game-changing difference is that, unlike passwords, authentication credentials are, “always stored on – and never leave – the user’s device. An attacker would physically need the user’s device in hand even to attempt an attack. This doesn’t scale, and is therefore not viable for financially-motivated attackers.”
Not to mention that, if effective, it eliminates the threat from those in other countries – even those in the next town.
The problem with passwords, he said, is not the passwords themselves but that they are “shared secrets” held by both individual users and on the servers of online providers where they can be – and have been – hacked, by the hundreds of millions. And it gives the hacker, “passwords to use against other servers.”
McDowell contends that UAF and U2F are much faster and more convenient for users, since authenticating involves simply, “touching a sensor, looking at a camera, or wearing a wristband, etc. It is definitely faster than passwords, and much faster and more convenient than traditional forms of two-factor authentication like one-time passwords (OTPs).”
Of course, some experts note that there is an increasing risk of attackers figuring out ways to clone biometrics like fingerprints, voice or iris scans.
“I don’t want to supply a version of my iris to just anybody,” McGraw said. “I’ve already given my fingerprint to U.S. government and they happily turned them over to the Chinese.”
McDowell acknowledges that biometrics can be spoofed – what he called a “presentation attack.” But he said the FIDO standard eliminates most of the risk for the same reason stated earlier – the biometric information never leaves the user device. “A biometric spoof attack against a FIDO credential can only be attempted if the attacker has physical possession of the user’s device,” he said. “It cannot be performed by social engineering, phishing, or malware.”
Gupta agreed that this is likely to make attacks much more expensive, and will therefore improve security. “As long as new forms of authentication can make sure that the cost of performing a breach is higher than the value gained from the breach, we are safe,” he said.
Still, nobody thinks the password will disappear anytime soon. McDowell, bullish as he is on the FIDO standard, said he knows it will take significant time for it to become “standard.”
He noted that there are more than 200 FIDO Certified implementations on the market, which he said has, “surpassed all my expectations.” The Alliance also announced last month that, “Microsoft will be integrating FIDO into Windows 10 for passwordless authentication,” and that the Alliance is also, “working with the World Wide Web Consortium to standardize FIDO strong authentication across all web browsers and related web platform infrastructure.”
But McDowell acknowledged that, “there is definitely going to be a ‘long tail’ for password use. While we are well on our way to seeing most of the applications and devices commonly used every day offering their users FIDO-enabled authentication, passwords will continue to be part of these systems for years to come.”
McGraw, while he is a fan of 2FA, and his firm requires it of its employees, said the reality is that, “there is no such thing as perfection. It is always going to be an arms race.”