How will a passwordless world work?
FIDO Alliance is an open industry alliance that went public in 2013. The idea was to reduce the world’s overreliance on passwords. The FIDO Alliance has been working on a world without passwords for nearly 10 years, but it’s closer to reality now. Andrew Shikiar, Executive Director, FIDO Alliance, explains how a passwordless world will work.
It all starts with FIDO credentials – or cryptographic keys – which are stored on laptops, phones and other devices and can be used for secure authentication. When a FIDO ID automatically syncs from the device it was originally created on (usually a phone or computer) to another user’s device, it is a “multi-user ID”. device “.
This new feature builds on the previous capability of “single device identifier”, which is a FIDO identifier available only on a single device, and cannot be saved and restored this way. “This latest advancement is important in the progression to more ubiquitous passwordless solutions because it allows users to transfer credentials between devices,” says Shikiar.
Simply put, it will be a lot like using a password manager it helps the user to login. However, the level of security is better than even traditional two-factor authentication, all without requiring additional steps or devices during authentication.
Just as password managers do with passwords, it will depend on the operating system platform to synchronize the cryptographic keys that belong to a FIDO ID from device to device.
Apple, Google and Microsoft – the world’s largest platform providers – have confirmed their commitment to supporting these passwordless login standards. “The path to eliminating passwords may be long, but this is an essential step in making it a reality in both the consumer and business space,” Shikiar believes.
With all major platforms united, Vishal Kamat, Director, IBM Security, IBM India Software Labs, believes there is a huge opportunity “for solution developers to embed security into the fabric of their solutions while providing a consistent customer experience across the entire application landscape”.
Sampath Srinivas, PM Director, Secure Authentication, Google and President, FIDO Alliance, in a blog post detailed how it will work on the phone. The phone will store a FIDO ID called a password which is used to unlock your online account. “The password makes logging in much more secure, as it is based on public key cryptography and is only displayed in your online account when you unlock your phone,” Srinivas notes.
If you log in on a computer, access to the phone will be required as you will simply be prompted to unlock it to access it. However, it will be a one-time thing, says Srinivas. “Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up where your old device left off,” Srinivas adds.
FIDO Alliance’s Shikiar says the three fundamental benefits of a passwordless world will be: logging in will become easier for the user, it will be phishing resistant, and it will provide a more robust system. It’s no surprise people forget passwords — it could be an Uber you haven’t booked in months, or an old email id you want to access. The problem is that if it’s old accounts, you won’t remember the backup email ID or phone numbers. As long as you have a phone, a user will be able to log in because there is nothing to forget.
For service providers, this will require certain updates to their authentication and identity systems to enable FIDO functionality.
“Hundreds of technology companies and service providers around the world have collaborated in the FIDO Alliance and W3C over the past few years to create the passwordless login standards that are already supported by billion devices and all modern web browsers,” says Shikiar. .
“Passwords are quickly becoming obsolete and it’s really a matter of ‘when’ not ‘if’ we will have a world without passwords,” says Kamat. It’s no secret that weak or stolen passwords are by far the number one cause of cyberattacks today, and as a result passwords have become the weakest link in the defense chain. of cybersecurity.
Sundar Balasubramanian, Managing Director, India and SAARC, Check Point Software Technologies believes that a passwordless scenario could become a reality as the standards of a passwordless environment become more established and the number of techniques to authentication without a password increases.
“The use of distributed ledgers (i.e. blockchain) to store digital identity information, multi-attribute authentication decisions using AI technologies such as authentication based on risk and the adoption of Zero Trust frameworks to secure digital information are some of the trends we expect to mature over the next 2-3 years,” says Kamat.
What happens to user privacy and security in a passwordless world?
Shikiar believes cybersecurity health will be significantly improved without passwords. Passwords and two-factor authentication such as OTPs and in-app push notifications are inconvenient and insecure. “They can be hooked, and they are being phished on a large scale today,” he adds.
Balasubramanian, on the other hand, believes that although passwordless authentication seems like a secure and simple method, it comes with its own set of problems. Funding and migration difficulties could be counted among the most pressing issues. He goes on to explain that “malware, man-in-browser and other attacks are feasible even with passwordless authentication. For example, cybercriminals can install a software patch to intercept access codes to one-time use (OTP).They could even infect web browsers with Trojans to intercept shared data such as one-time passcodes or magic links.In addition, cybercriminals have proven that voice recordings and other biometric traits were also duplicated.
Kamat also sees a passwordless world as an opportunity. “This is an opportunity to modernize our authentication systems by taking advantage of new technologies that will improve the consumer experience while securing our transactions,” he explains.
Having support in everyday devices is essential, believes Shikiar, who believes a passwordless world must approach with the ubiquity of passwords and SMS OTPs. That’s why he thinks the engagement of Apple, Google and Microsoft is important. “Their engagement will also provide service providers with more diverse options for deploying modern, phishing-resistant authentication methods,” he adds.
“This is undeniably a huge step forward in terms of secure authentication for the ordinary user, who is unlikely to use the strongest passwords, but is statistically more likely to reuse them on sites and services,” says Balasubramanian.
#passwords #Times #India