It seems that in one year or so we could (or should I write “will”?) finally see the beginning of the demise of passwords. The FIDO Alliance is proposing an extension of their UAF protocol which should make it possible to access many online and company applications without a password. The trick is to use the user’s smartphone as the authenticating device with two significant requirements: the user should confirm her/his identity on the smartphone with a biometric authentication, and the smartphone should be directly connected to the device (PC) which is performing the authentication by eg. Bluetooth. More information can be found on the FIDO website (here) and other articles (eg. here and here).
Still I am worried about the security of smartphones: more and more information, functionalities and security features are based on them, but, for example, we haven’t yet solved the problem of patching the Android system which most smartphone use. And what about using just the smartphone (or tablet) and not a PC to access online / company applications?
Recently I frequently met discussions about passwordless authentication: is this myth finally becoming reality? It is at least 20 years that we have been discussing and announcing the demise of passwords.
Passwords can be substituted by biometrics, but also hardware tokens (eg. security keys), smartphones etc. together with authenticator apps, single-sign-on, identity federation and so on.
Is this enough to get rid of passwords?
Well, passwords are very cheap to manage and very scalable, well known, used and abused, possible to forget but not to break down or to be physically lost or stolen. And most systems will still use passwords / PIN codes as backup.
Already today access to most personal devices (smartphones, tablets, portables etc.) is passwordless, usually by biometrics, with password as backup. But this is very local to each personal device and it seems difficult to scale it up to all systems and applications.
So where do we really stand on the way to “passwordlessness”? How and when will we get there?
A couple of interesting news on authentication and passwords:
- Telepathwords is a (Microsoft Research) website which tests passwords you digit into it, to verify their strength by checking how likely the next character in the password is to appear in common words and password checking tools; at first sight the idea seems nice, but I wonder to the usefulness of writing your passwords in a public website: obviously any password tested in the website cannot be used, so this should be taken only as an exercise to learn how to create good passwords (moreover, I tested it with pseudo-random generated password and the results were not completely clear to me)
- “Nymi Is A Heartwave-Sensing Wristband That Wants To Replace All Your Passwords & Keys”: it is a wristband that measures your unique (but I have no idea how much “unique” that it is) heartwave and, via bluetooth, authenticates you to any (capable) device; it is the first time I hear of this kind of biometrics and I suspect that it shares with all other biometrics authentication approaches, good and bad points.