Ask any security consultant how you can keep your password secure and you get to hear these standard guidelines:
Use mix of upper & lower case, numbers & special characters
Don't use dictionary words, your name or calendar dates
Should not be less than 8 characters long
Change password often
Don't share, don't write & don't re-use!!!
If you have only few accounts, these guidelines may not be difficult to follow. But in this age most of us would have lots of different accounts some which we access often and some which we don't. Remembering different and complex passwords for all these accounts is a big challenge & sometimes it can be frustrating.
Forgot your password option is of course our best friend most of the time, but it becomes moody sometimes while you feel like waiting forever to get that password reset link.
Then we have another friend called Password Manager which comes to our rescue and remembers all our passwords, assuring us that they are being kept safely. But the moment you search Password Manager Vulnerability, you realise that this friend can turn into a foe any time.
So, what do we do? Train our brain to remember all different complex passwords? Well, most users just say good bye to the guidelines while dreaming if they could just say good bye to the passwords too.
Thanks to FIDO (Fast Identity Online) Alliance this dream is about to turn into reality.
What is FIDO Alliance?
As per their website, FIDO Alliance is a coalition formed in the 2012, with PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio as the founding companies to define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users. After its official launch in 2013, various companies like Google, Microsoft, MasterCard, BlackBerry etc. have announced their support & have become its members.
How can they remove reliance on passwords?
They have developed two sets of frameworks:
Passwordless Universal Authentication Framework (UAF Standard)
User inserts a device having UAF stack
Registers device selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc
User no longer needs password when authenticating from device next time
Universal Second Factor (U2F) protocol
The user logs in with a username and password
User than inserts the U2F device as a second factor to authenticate
Doesn't this mean we still have to remember complex passwords if U2F protocol is used?
No, we may have to use passwords but they need not be complex passwords. The passwords here can now be just a PIN. Rather than relying on what you know (strong passwords), the authentication now relies more on what you have (the device & biometric).
A working example of this protocol is the USB Security Key launched by Google to sign in into your Google account.
Many other companies too have launched products based on FIDO and some have announced their plans to become passwordless in future. Considering that most organizations already have a mature existing password management infrastructure, adoption of FIDO may take some time. But the future indeed looks bright and passwordless!!!