Monday, February 17, 2020

Will FIDO Make an End to Passwords?

Anybody who spends much time online these days, which is nearly everybody, wastes a certain amount of time and endures more or less annoyance in entering passwords.  An industry alliance called FIDO (for Fast IDentity Online) promises to make passwords a thing of the past.  But before that happens, there are both technical and social obstacles in the way.

Founded in 2013 by PayPal and other companies wishing to make it easier for people to log in to their sites, FIDO works by collapsing all the different password-validation operations for the sites you use into one device-specific process.  That would be a great improvement over the way things are now, as I will illustrate with a personal example.

Say I want to do the following:  check my bank balance, buy a component from a supplier in a hurry, log in to my university email,  and change a file on my class website. 

Right now I'd have to perform these steps flawlessly: (a) log on to my bank's website and enter two separate passwords which have nothing to do with my other passwords, and therefore are not that easy to remember (b) hunt up the place on my computer where I hide all the dozens of vendor passwords I've accumulated over the years by remembering the name of the file I hid it in, and typing the password into the vendor's website (c)  type in a long sequence of letters, some of which are capitalized, that the university recently made us switch to from an old shorter password, and hope I get it right, which I still do only about 80% of the time; (b) and for the class website, I have to do a two-step verification involving not only the previously mentioned new long password, and also either asking the computer to call my office phone (which is fine if I'm in the office) or letting me enter a six-digit number from a dongle they sold me, which works fine until I accidentally press its button two or three times without using the numbers, which I do from time to time because it's on a keychain in my pocket, and then it loses sync with the computer, in which case I have to phone IT support and spend ten minutes or so waiting for them to hunt up the one guy who is authorized to re-sync dongles, and I read out three numbers in sequence to him, with thirty-second pauses in between.  Then I can go back, log in, and change the file on my class website.

This is not to knock the university's IT people.  They are understandably concerned about security, and within their limited resources they have come up with the best password protection they can figure out.  And admittedly, if I would just break down and buy a smartphone I wouldn't have to fool with the dongle. 

But the dongle is one of the technical hurdles FIDO will have to overcome in its march to eliminate passwords.  As I understand it from the FIDO Alliance website, once FIDO achieves universal buy-in, all password requests would be dealt with the same way.  If you have a smartphone that does fingerprint verification, the same fingerprint will work for every website.  If you do dongle verification, or smart-card verification, or voice-recognition verification, that same method will work for everything.  The method used will depend on the device that the user has access to. 

For old duffers like me who spend at least as much time using a laptop to access the Internet as I do with a phone, this prospect is not so encouraging, because it means to take advantage of FIDO, I'd have to be using the same device all the time.  Or at least it seems to mean that.  But the global trend is toward using mobile phones for just about everything, and newer computers tend to have the hardware and software needed for fingerprint ID or similar biometric methods, so this issue will not be so serious going forward.

The social issue I mentioned is the simple fact that for FIDO to work, the websites all have to be able to take the FIDO "public-key cryptography" stuff that the user's device sets up.  And all the user-device makers have to make FIDO available on their devices.  Fortunately, the upsides to most parties involved way outweigh the downsides, which is why the people in charge of the Android operating system have recently upgraded their buy-in so that it will work with mobile browsers, according to a recent article on the Wired website.  So progress is being made in that area.

For people and organizations unable or unwilling to do FIDO, there will still be the old-fashioned password, which brings back to my mind scenes out of 1930s' movies about Prohibition, where someone desirous of booze would appear before a door with a peephole in it and murmur, "Joe sent me."  Perhaps back then the formality of a password just added to the underworld glamour of obtaining illegal hooch.  But these days, when accessing multiple websites in a day is as routine as walking through multiple doors in a day, passwords have become a digital albatross around our collective necks that we would be more than happy to get rid of.

As is always the case with advances in widely used technology, somebody will figure out a way to hack FIDO.  The obvious weakness to me is the fact that with FIDO, all one's security eggs will be in one basket, so to speak.  Right now, if somebody hacked my bank password, for example, I might wake up broke tomorrow, but at least I could still make a secure purchase from Etsy—if I had any money.  But if FIDO becomes universal and someone manages to hack into your FIDO verification system, they can get into everything your current passwords give you access to, all at once. 

I'm sure the FIDO wizards have thought of this possibility and will try to deal with it somehow.  As long as FIDO will work better than my hardware dongle, I'm all for it, but it looks like it will be a while before it gains the degree of acceptance that would make a real dent in our need for remembering, typing in accurately, and dealing with the downsides of plain old-fashioned passwords. 

Sources:  I referred to a Wired article entitled "Android Is Helping Kill Passwords On a Billion Devices" at, the FIDO Alliance website at, and the Wikipedia article "FIDO Alliance."

No comments:

Post a Comment