The password is dead, and Apple, Google and Microsoft are responsible
In this guest piece from IT support and managed services providers ramsac, the Surrey-based firm looks at the death of the password.
Passwords are dead. They’re hard to remember, and once they’re compromised, it’s best not to use that password and email combination ever again. Plus, the level of complexity that passwords require to be secure just adds to the problem of remembering them. And to top it all off, business users probably have multiple passwords they need to remember, as well as all their personal accounts. Essentially, passwords are dead, and for good.
But who killed them, and how do we replace them?
A Brief History of the Password
Created in 1961 by the team at MIT (Massachusetts Institute of Technology) with Bell Labs and Unix, passwords enabled different users to all log into one computer, something that was revolutionary.
Then in the late 70s and early 80s, early data encryption began, and finally in the late 80s, the first major computer hack happened, called the Morris Worm.
In the 90s and heading into the new millennium, we saw the increase of more sophisticated measures, such as the AES (Advanced Encryption Standard) which, in part, still stands today and the core foundations of it have developed modern authentication and encryption. This secured passwords even further, and also better protected users.
And more recently, in the 2010s, multi-factor authentication took over, with users able to get second-step security through apps like Google Authenticator, or via text message.
Death of the Password
Like many murder mystery games over the years, identifying what killed passwords is tricky.
Was it major tech companies making biometrics as standard on all modern mobile phones?
Perhaps it was the easy digital experience that passwordless sign-on brings.
Or could it have been the increasing difficulty of remembering countless passwords for the growing number of digital accounts we all have?
Did multi-factor authentication and that revolution play a huge part?
Biometrics as Standard: The FIDO Alliance
On May 5th, Apple, Google and Microsoft announced that they were expanding support for a ‘common passwordless sign-in standard’ created by the FIDO Alliance and the World Wide Web Consortium.
This, summarising the release, will ensure that extended passwordless sign-on capabilities on websites and apps are rolled as standard, regardless of the device type and operating system in use. This will also enable users to use mobile phones to login to desktop sites more securely.
With three huge businesses that are market leaders in the technology industry, this announcement is not only speculative on the death of the password but essentially cements it. As we all use products from either Apple, Google or Microsoft in our daily lives, whether phones, laptops, smart devices or others, any company not adopting FIDO or a similar experience will seem archaic.
The FIDO sign-on credentials, referred to as a passkey, are a set of login tools such as fingerprint or Face ID. This common standard being adopted by major technology companies streamlines the process for users, allowing for greater device sharing while increasing security.
Not only is this method more secure, but it also provides a greater user experience. Consider how simple it is to just use your fingerprint to log into your phone vs the complexity of logging into your work email address with a password and then a multi-factor authentication step. Imagine how much more secure your work devices would be with a single, completely unique to you, sign-on passkey.
The Authentication Revolution
Multi-factor authentication has revolutionised modern security. You still have to rely on a password in the first step, but often need an app, phone or email address for the second. This provides an additional layer of protection, which creates a secure environment and means that hackers have to overcome two very different layers of security.
However, a greater step forward has been in the use of biometrics, such as face ID and fingerprint ID. These are a more seamless user experience for any type of user, and are completely individual to a person, making them nigh on impossible to replicate.
While biometrics have been around for a while, their use on business devices hasn’t been hugely popular. Some laptops have had fingerprint scanners, but the widespread use isn’t there. However, with FIDO’s new approach to passwordless sign-on, there will be some inevitable concerns that biometrics could be hacked and compromised, providing access to a person’s entire life.
FIDO is proposing to use a series of cryptographic keys to overcome this, with each device or system having a unique key that must be requested and authenticated with each sign-on. This means that while the end-user experiences only one simple action, the behind-the-scenes verification ensures the utmost security.
Passwords are reaching the end of their lives. FIDO says it wants to ‘supplant’ the need for passwords. Speaking to Wired, Andrew Shikiar, Executive Director of the FIDO Alliance, said: “Passwords are part of the DNA of the web itself, and we’re trying to supplant that. Not using a password should be easier than using a password.”
But what are the final nails in the coffin for passwords? Increasing reliance on mobile technology is one, a legal and dutiful need to create hyper-secure softwares when handling data, and a reduction of reliance on an outdated software are all up there. The biggest barrier to completing these final blows has been consumer education.
Where businesses come in is part of this education. Consumers who have to start using FIDO standards at work will be able to easily transfer this skill to their home lives.
It’s a big step, but once done, the ongoing process is simple.