Passwords are a pain. They’re incredibly important for the security of our data, and yet they’re hard to remember and keep track of. Plus, it seems like we constantly have to change them as the result of some new hack or security breach. But the password’s days may be numbered: the FIDO Alliance—a non-profit composed of heavyweights like Microsoft, Google, VISA, MasterCard, PayPal, and more—has published its final specification for a system to kill the password, hopefully for good.
The specification is a bit technical, but what it boils down to is fewer passwords, hopefully. FIDO offers two options: a password-less login method, and a two-factor login method. In the former case, when you register with a new service, app, or site that uses FIDO’s technology, you choose how you want to authenticate that account (just as you would currently specify a username and password). But instead of a password, that method can be a PIN or a biometric factor—such as a fingerprint, a spoken passphrase, or facial recognition. The even-more-secure two-factor method, still relies on a password, but it means you also need something else, like a USB key, to prove your identity. In both cases, the authentication information is stored and encrypted on your device, not on the server, making it harder for hackers to compromise.
Now, smartphones like Apple’s iPhone 6 and the Samsung Galaxy S5 already offer fingerprint authentication, so you may wonder what the big deal is. Unlike those technologies, FIDO isn’t a consumer-facing solution: it’s a software system that can be incorporated into apps and websites, free of charge—and it can work with a variety of different hardware. While a mobile device might rely on fingerprint scanner that’s built in, a laptop or desktop computer may instead be better suited to using a USB key.
PayPal has already added FIDO support in its Android app for use with the Samsung Galaxy S5’s fingerprint sensor, and Google is allowing FIDO-compatible USB keys as part of its two-step verification process on desktop and laptop computers. Nok Nok Labs has also created solutions that app developers will soon be able to use on Android or iOS, meaning that the services, apps, and websites you already use will all be able to build in support for FIDO’s authentication, if they so desire.
That said, there are some potential limitations. Standards are a dime a dozen and, despite the major players involved in FIDO, there are some missing names: Apple being the most prominent. That’s not enough to scuttle FIDO outright, but given Apple’s serious clout, it could slow adoption of FIDO. (For example, the recent roll-out of Apple Pay—which only works on Apple devices—has sharply increased wireless payments, despite the fact that the technology has been around for years.) And while FIDO is trying to make its system as attractive as possible, some companies will no doubt balk at re-doing their authentication infrastructure.
But one thing is clear: with security failures coming at a breakneck rate, we can’t count on the password to protect us anymore. Is FIDO really the harbinger of the password’s demise? I hope so, though I remain skeptical that anything that can kill the password—much like the Grimace.