The Fast Identity Online (FIDO) Alliance – a group of technology companies including Apple, Google and Microsoft – has suggested that the shift to removing passwords entirely from access control may happen sooner than later. FIDO has worked for nearly a decade on a system to let users log in to their online accounts via passwordless protocol – usually in the form of a PIN or biometric patterns like fingerprints, iris scans or voice recognition.
Instead of passwords, FIDO proposes to have those stored on your device and the operating system’s associated cloud sync service. Your phone becomes the access point, and access is authenticated via inputting your phone’s PIN or using fingerprint or face identification. This would reduce the reliance on passwords and give users a way of keeping their credentials to hand as they move from device to device.
This approach by FIDO is expected to be implemented across Apple, Google and Microsoft platforms later this year and FIDO believes this will provide better protection over legacy multi-factor authentication and better protection against malicious phishing attacks.
Julia O’Toole, Founder and CEO of MyCena Security Solutions, believes that FIDO’s view towards passwords is misguided and reveals an entrenched confusion between access and identity, a consequence of the digital transition.
“In the physical world, the difference in applications is straightforward. Your identity is used to identify yourself, for example when you cross a country border. It does not automatically give you access, just validates that you are who you say you are. By contrast, your front door doesn’t recognise your identity; instead, you use your keys to unlock access. You don’t hammer your keys before using them – no key simply means no access, regardless of who you are. Using common-sense, companies would hand over keys to employees needing access, and take them back when they leave.
“With moving into the digital world, people lost their reference points and started mixing the two. This has led to the current state of digital insecurity we live in. People were told they had to create and remember their own passwords, or use their identities. In companies, employees use their identities and make their own passwords to open the doors of their network, systems and data. All those passwords are open to theft, fraud, resale and sharing, making them compromised by default. Losing access control is the single biggest problem for companies’ security.
“FIDO’s proposal creates a list of even bigger problems”, says O’Toole. “First, under a single point of access via your PIN or biometrics, one attack could mean losing all your accounts at once. Second, if your biometric data – now only a string of 1s and 0s – is stolen, it cannot be replaced, making you continually susceptible to identity theft. Finally, the proposal effectively turns everyone on the street into a walking wallet waiting to be mugged. We’ve already seen this begin in London – mobs and muggers just need to seize your PIN or biometrics to obtain everything you have.
“On the other hand, passwords carry the same properties as physical keys. They don’t need to be tied to a user’s identity. In fact, through end-to-end encryption on an organisational level, these passwords don’t need even need to be known by anyone at all.
Organisations must take back control of their access from their employees by simply creating and distributing strong unique encrypted passwords to their employees. Without knowing any password, individuals avoid potential Man-in-the-Middle attacks like password phishing completely. There is also no more risk of forgotten passwords – you cannot forget a password you never knew in the first place.
O’Toole concludes, “The FIDO proposal stems from a world where passwords are not used as they should be. Passwords are just digital keys to be handed to employees when they join and withdrawn when they leave, not to be crafted themselves. Educating individuals on the differences between identity and access will make a huge difference in how people protect their identity and access online. Similarly, educating organisations will also be a first step for them to regain access control, allowing employees to be discharged of the mental burden of remembering passwords and the liability of their corporate security, which they should never have been handed in the first place.