The world moved a step closer this week to killing off a much maligned element of digital life, the password.
Windows Hello, the Windows 10 biometric authentication system, was certified by FIDO2, the global computer security standard. FIDO2 allows users to log on to websites and devices using a security key, rather than a password with its long, hard-to-remember string of numbers, letters and symbols.
Microsoft says gaining FIDO2 certification for the new version of Windows Hello for Windows 10, which launches later this month, will allow 800 million users to access Windows 10 without a password.
Instead, they will be able to access their devices using a fingerprint, facial-recognition or eye-tracking login. The move is part of a major push by the technology industry to find secure methods of replacing passwords, which are cumbersome and not especially safe.
As Microsoft program manager, Yogesh Mehta, says: “People don’t like passwords because we have to remember them. As a result, we often create passwords that are easy to guess, which makes them the first target for hackers trying to access your computer or network at work.”
Several key milestones in the move to replace passwords as a form of authentication have been passed. Fingerprint logins to smartphones and their use as payment devices through tie-ups with credit card and bank apps spell the way forward for the whole industry. Using a smartphone to pay in shops shows that passwords and codes can be bypassed. The hunt is on to find ways of making all websites and devices accessible through alternative methods.
FIDO, which stands for Fast Identity Online, is a set of specifications for strong authentication. It has been developed by the FIDO Alliance, founded in 2013 by PayPal and Validity Sensors, and has since been joined by most of the top tech companies including Google and Microsoft as well as banks and credit card companies.
Its authentication is guided by three missions: ease of use, standardization and privacy/security.
The latest protocol is FIDO2, which paves the way for password-free logins. In February, Google announced that Android version 7.0 devices and higher would be FIDO2-certified, in effect turning those mobile devices into security keys.
Until now, security keys have been dongles and USB sticks. But with the Android announcement, smartphones can now act as keys to accessing websites and devices.
A part of FIDO2 which applies to websites is WebAuthn, a system developed by the World Wide Web Consortium, W3C, the main international standards body for the Web. Instead of users authenticating their identity using something they remember, they employ something they own or a part of their body such as a fingerprint, face or eyes. For instance, someone might log a username into a website they want to visit then receive an alert on their mobile phone which they tap to log into the website.
WebAuthn requires Internet browsers to also support it, and the main browsers such as Chrome, Edge, Firefox and Safari have begun to do so. WebAuthn was unveiled last year and has already attracted sites including Dropbox, Microsoft and Google. While WebAuthn is similar to systems already used by Google and Facebook, a single standard that works across systems and platforms will allow many more services to move away from using passwords.
Despite the best efforts of the tech companies to make passwords redundant, it looks like they will be around for a good while longer. One problem with FIDO2 is what happens if someone loses their security key – be it mobile or fingerprint scanner – or it breaks. Lloyds Banking Group in Britain says it has no plans to introduce the Windows Hello security system after extensive testing.
There’s resistance from many organizations to change the customer experience for logging in. People have become used to passwords and may use a password manager to handle them automatically. Introducing a new way of accessing sites and apps could disrupt business. The lack of a single alternative to passwords also makes many businesses wary of moving away from the tried and tested method.
If FIDO can create a single, powerful authentication method that wins general support, the password’s days could be numbered. But the long strings of digits and letters are likely to be the bane of our digital lives for some time to come.