End of passwords

Creating a new online account almost always requires two basic components: a username and a password. While the second part is necessary to protect the first, it is not without its problems.

Passwords can pose a major weakness to overall web security and coming up with and remembering a good one is hard. Despite warnings against doing so, far too many people still select common and easy passwords like "qwerty" or "password123." Shockingly, data from online password manager Keeper shows that as many as 17 percent of people use “123456” as their password for an online account. Those are easy to remember, but they’re also easy to crack. In fact, the average business employee has 191 accounts with passwords.

Hacking these simple passwords has become a serious problem for web security and online protection. Verizon’s 2018 Data Breach Investigations Report concludes that stolen or weak passwords account for 81 percent of data breaches. That has an enormous impact on data integrity and online business worldwide.

Traditional best practices around passwords call for a mix of characters that include letters, numerals and symbols, are long, changed often, hard to guess, not written anywhere and are unique to each account or login. It’s enough to make you say “J&x$O#!g%e4T1@byC.” That’s not a disguised swear word, but rather an example of a strong password. Trying to commit something like that to memory is no easy task, made especially less enjoyable when you have to change it and memorize a new one in a few months, and repeat that across multiple websites.

Creating passwords can also create a friction point for ecommerce, web services and other daily online functions – a forgotten or lost password can lead to frustration or abandonment. Those pose another set of risks for businesses. Is there a better way to secure account integrity while making the log in process easier for legitimate users?

Introducing a New Standard

The FIDO Alliance, the world's largest ecosystem for standards-based, interoperable authentication, is working with the World Wide Web Consortium (W3C) to advance a new idea to the Candidate Recommendation (CR) stage. Known as Web Authentication (WebAuthn), this new protocol has been designed and proposed to help deploy simpler yet stronger web authentication methods to users around the world.

While web adoption is nearly universal and people from all over the world are using it for communication, financial services, eCommerce and much more, web security is a global concern. But the old password standard forms one of the weakest points and biggest challenges when trying to make the web a more trustworthy place for doing business. As a new standard, WebAuthn aims to tackle that problem head on.

Instead of relying on a complicated combination of characters, the WebAuthn protocol promises to provide significant improvements for both ease of use and web security. For the user, a more natural login procedure involving a single gesture, such as a finger-tap, is the proposed norm. This method will also work across devices and services, offering a faster and more convenient way to securely access an account.

The Fido Alliance includes Google, Safari, Microsoft, Opera and Mozilla - all the major web browsers. As Brett McDowell, executive director of the FIDO Alliance, told eWEEK: "We expect to benefit from the entire community of web browsers and web application servers supporting the standard.”

How WebAuthn Works

How will users log in to accounts using WebAuthn? If they are using a phone, the process will be straight forward – visit a site to register or login. The phone will prompt the user to register the device with the site. If the user agrees, they then use their authorization gesture, such as a fingerprint tap, to register the device. After that, logging in simply requires the authorization gesture.

It’s not just phones that can use the power of WebAuthn. While somewhat more complex, users can use it to log in to websites on their desktop. From their computer, they can head to the website and select the “sign in with your phone” option. Then, on their phone they’d see the option to log in to that website and perform the authorization gesture. At that point, they can access the site on their desktop as the logged-in user.

To improve security, WebAuthn uses public key cryptography. The keys stay on the device, so there are no server-side shared secrets to steal. There’s also no linkage between services or accounts, there’s no third party in the protocol, and none of the biometric information leaves the device. All these measures help protect against phishing, man-in-the-middle and replay attacks.

Widespread Adoption of Scalable Technologies to Help Eliminate Passwords

Although knowledge-based data will continue to be used for authentication in 2018 and beyond, a number of key technologies and standards are emerging and gaining widespread adoption.

Other scalable alternatives in the market that aim to address the password problem includes 2FA (Two-Factor Authentication) or multi-factor authentication. These systems rely on the user acknowledging control of a confirmed communication channel, such as an email address, a SMS (text) number or an authentication app. If using an email channel, clicking a special link with a one-time password (OTP) included will demonstrate that the user has access to that particular email account. Or, a text message can be sent to the number on record with an OTP and entering that number into a form indicates the user has access to that particular phone number. Similarly, a user can enter an OTP number into a form from an authentication app.

The Intel® Authenticate Solution protects identities at the hardware layer as opposed to the software layer. It enables multiple form factors to authenticate individuals including facial recognition, fingerprint, Bluetooth phone proximity, protected PIN and logical location. As it’s built into the physical system, Authenticate Solution protects all operations on the computer, not just web-based sites and services.

There are other solutions that use biometrics to replace passwords, ranging from Windows Hello – an  enterprise-grade biometric security system built into Windows 10 – to Apple’s Touch ID which has been available on Apple phones since 2013. While offering system-level security, these are (to date) more for logging into the system and specific, rather than independent web sites.

As with any new technology, the adoption curve for password alternatives will take time to go from an option on some sites to a requirement on every site with a login. Given the security risks of passwords and the public’s problems with using them, these solutions offer new and innovative ways to replace the password with greater safety and convenience.