Checklist 278: Getting to Know FIDO
On this week’s Checklist, we discuss plans to implement FIDO standards for passwordless logins with Megan Shamas of the FIDO Alliance.
A world without passwords?
Last week, we marked World Password Day by talking about how to keep our passwords safe. But what if we lived in a world where we didn’t have to use passwords at all?
This is the vision of the Fast Identity Online (FIDO) Alliance, a non-profit standards organization dedicated to improving the way we sign in to our online accounts. FIDO is made up of 250+ member organizations, and includes major tech companies like Apple, Google, and Microsoft on their board.
Last week, those three companies announced that they were expanding their support for FIDO standards on their platforms. The goal is to help users sign in to online accounts across devices and browsers more quickly and securely—and all without a password.
Megan Shamas, Senior Director of Marketing for the FIDO Alliance, explains why this is important for security:
Today, authentication is mainly done on the server side. For example, a password needs to be stored on a server, and you need to know it and the service provider needs to know it in order to let you log in. Similarly, common multifactor authentication methods like SMS or one-time passcodes (OTPs) follow the same basic authentication model: There’s a shared secret that needs to be known by you and the service provider.
The problem with handling authentication like this (aside from the inconvenience) is that it is inherently insecure, because credentials and authentication codes can be phished or stolen and then used to take over our accounts. What FIDO is doing is creating new standards for authentication that remove the necessity to have things stored on a server at all.
A cryptographic solution for logins
Signing in without a password may sound like magic—but FIDO’s standards are actually based on a well-known and proven technology: public key cryptography.
Public key cryptography is already widely used in end-to-end encrypted messaging, digital signatures for documents, and the secure HTTPS web protocol.
When public key cryptography is used for authentication, passwords are replaced with a cryptographic key stored securely on your device. As Shamas explains, this means that “the key never needs to be given away to the service provider—and it’s never stored on a server where it can be stolen.”
To access the stored cryptographic key for sign-ins, a user would simply use whatever mechanism they normally use to unlock their device: a PIN, a pattern lock, Face ID, Touch ID, and so on.
Apple, Google, and Microsoft take action
In some ways, what the FIDO Alliance is proposing isn’t new. The organization has been around since 2012, and their sign-in standards, first published in 2016, are now supported on billions of devices and in every major OS and web browser.
But what still remains to be done, says Shamas, is to make passwordless sign-ins truly interoperable:
Historically, FIDO standards have been a device-based sign-in method. For example, if I’m on my smartphone, and I go to a website and sign up with FIDO, then that’s on my smartphone—but not anywhere else. If I then get on my computer and go to the same website, I need to sign in again with my password and re-enroll with a FIDO sign-in. That means you’re always having to bring this less secure sign-in method back into the mix: passwords stored on servers.
What Apple, Google, and Microsoft have committed to is implementing a syncing mechanism where your FIDO keys are available to you across all of your devices. It will be similar to the way iCloud Keychain makes all of your saved sign-ins available to you on all of your Apple devices.
Is the world ready for FIDO standards?
The move to sign-ins without passwords is a pretty big change, which raises questions about whether or not users will be willing to make the switch. Shamas is optimistic:
From our research and from just observing regular consumers, we know that the main thing people want is convenience—more than anything else. The security aspect of FIDO sign-ins is going to be pretty transparent to them, in the same way that people today don’t really worry about what’s going on behind the scenes when they’re asked to use Face ID to sign in to a website.
The vision we have for FIDO standards is similar: There will be an opt-in mechanism, and the people who want to go passwordless will be able to. Nobody’s going to be forced to do anything, but maybe there will be an option to disable your password after you’ve been using FIDO sign-ins for a while—like an option that says, “Hey, you’ve been signing in with FIDO, do you want to disable your password so that there’s no way a bad actor can get into your account?” A substantial number of people will likely say yes to that. That’s how we’re going to start to get those passwords off of the servers.
In technology development, timelines are never set in stone (as anyone familiar with Apple’s long rollout of App Tracking Transparency will appreciate). But the wheels are already in motion, and Shamas believes that we’ll start seeing the first publicly available versions of the proposed features within one to two years.
The issue of backups
As Apple, Google, and Microsoft move towards implementation, some remaining details will need to be worked out. One of the big ones is backups: If an account doesn’t have a password, and you lose the device that acts as the sole key to that account, what then?
Shamas acknowledges the concern, but points out that the same basic problem has already been solved by big tech platforms with other services:
If you look at, for example, Google’s Advanced Protection Program (APP), you have a similar issue. When you use Advanced Protection, you can only log in to your Google account with an external security key. There is no backup method: For security reasons, that’s not allowed. In other words, if you lose that key, you’re locked out of your account.
But of course, Google has procedures in place by which you can recover your account. Yes, it’s more extensive than what a password reset would be, but that’s a good thing in terms of security!
So at the moment, Apple, Google, and Microsoft are figuring out how they’re going to implement FIDO logins on their platforms. But issues like account recovery aren’t new territory for them, even though it remains to be seen how they’ll handle the implementation with FIDO-based passwordless logins.