The Passing of Passwords
At last, their end is in sight.
Dateline: Woking, 29th August 2022.
As a vignette to illustrate the state of the digital identity world, I can do no better than to tell you that when I was in San Diego recently (at a gathering of some of the brightest stars in the digital identity universe) I had need to change my flight. I opened up my airline app and (presumably because I was logging in from a new location) was required to complete an additional authentication step, which was to tell them my favourite breed of dog.
Presumably, some years ago, when setting up this account I had been asked to choose a couple of additional security questions, but of course I had forgotten all about this. After a couple of guesses, I went for "Spaniel" and I was in (don't worry, I've changed it now so there's no need to email me about this gross security violation.)
While I was doing this, one of my fellow digital identity experts was taking a photograph of his passport to e-mail to someone so that he could check in for another flight. That’s right: e-mailing a picture of a paper document in the middle of a discussion about presentation standards for verifiable credentials.
The whole password thing is crazy and the costs are not limited to individual inconvenience when in a hurry to book a flight. While I was editing this document, I saw an e-mail from Plex saying that their servers had been breached and that I should change my password. I assumed that this was a phishing attack and ignored it but actually it turned out to be true because the data of around half of their customers had indeed been stolen.
The state of internet security is pathetic. It's no wonder that fraud is at epic levels when vast swathes of the internet depend on passwords for security. Passwords are just not security and “password security” is no such thing. This was evident about a week after the world went online and smart people have been predicting the end of the password ever since.
In the future, everyone will be famous for 15Mb is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
(By “smart people” I don’t mean me. I mean, for example, Bill Gates who said at the dawn of the new millennium that smart cards should replace passwords and then in 2004 told the RSA Security Conference that the password must go because it cannot "meet the challenge" of keeping us secure.)
Yet I just had to reset the password for one of my hotel apps because the password stored in my handy password manager was somehow wrong and after three attempts to log in to try and book a hotel room I got locked out. As for many other services, they may as well just automatically send me straight to the "I forgot my password" page to save time when I try to log in and get something done in a hurry.
(Interestingly, the immediate result of this password pain was that I opened one of my other hotel apps, for which the password was correct, and used that to book a room. Weird to think that in 2022, my choice of hotel for a business trip was based on which password my phone has remembered correctly, rather than loyalty points or tea and coffee facilities.)
Upper Case, Lower Case, Head Case
Passwords are well beyond their sell-by date. Last year, the top five passwords used in the USA, according to password manager Nordpass, were "123456", "123456789", "12345", "qwerty" and "password". It's hardly surprising that there are so many hacks, frauds, account takeovers and all sort of other shenanigans that stem from the outdated view that passwords are some sort of security solution. They are not, and we (i.e., the digital financial services sector) have known for years that they must die.
They should be replaced by real cryptography, preferably where the cryptographic keys are stored in tamper-resistant hardware rather than in software. A great many people already have suitable devices. Last year more than half of US teens and adults had tablets and smartphone penetration, which continues to rise, it will be almost 90% this year. These devices are near-prosthetic. The average smartphone user will tap the device 2,617 times a day. Around half of US smartphone users say they "couldn't live without their devices" and a third of them look at their phones more than 50 times every day.
So if most people are most of the time attached to a device capable of strong authentication of keys in tamper-resistant hardware… why are we still using passwords?
Well, we may not be in this bind for too much longer. I think that the recent announcement from the FIDO Alliance and Microsoft, Apple and Google that they will support the expansion of the common passwordless standard created by the Alliance and the World Wide Web consortium (W3C) is really significant and should have attracted more media attention.
The internet giants have said that they will be using the new multi-device FIDO credentials, sometimes referred to as “passkeys”, to finally begin to rid the world of passwords. They have committed to support passwordless sign-in that will work across all the desktop, mobile, and browser platforms that they control. That's a large portion of modern technology, covering everything from laptops and desktops to smartphones, tablets, and smartwatches. The announcement covers the most used operating systems (Android, iOS, Windows, and macOS) as well as the three most used web browsers (Chrome, Edge and Safari).
A passkey is a credential, tied to what is known as an “origin” (which means a website or an application that you want to log in to) and a physical device. Passkeys allow users to authenticate without having to enter a username, password, or provide any additional authentication factor. These credentials follow the FIDO and W3C Web Authentication (WebAuthn) standards.
Similar to a password, websites and applications can request that a user create a passkey to access their account. Authenticators are FIDO-compliant devices which are used to, as you might imagine, authenticate the user. This includes special purpose devices (eg, Yubikeys), as well as mobile phones and other computers which meet the authenticator requirements (they have to have secure tamper-resistant storage for cryptographic keys, essentially.)
Last Lost Login
Apple got behind FIDO a couple of years ago. It calls its own implementation “Passkeys in iCloud Keychain” and what that boils down to is that in the future when I log in to my airline app or my hotel website in the future, it will authenticate me through my iPhone. Kind of like how "Log in with Apple" works today, except it will work everywhere that implements the FIDO standard.
Passkeys for MacOS Ventura are in beta testing now or soon will be, according to Apple, with final code ready by the end of this year, with passkeys for iOS 16 and iPadOS 16 on a similar timeline. Since the authentication will be done using Face ID and Touch ID, as far as most users will see it their thumb or face will simply take the place of passwords and I am sure that the convenience will mean family rapid adoption.
Similarly, Microsoft announced a while back that some of its customers could go passwordless, and it followed up last year by telling people to start to get rid of their passwords altogether. You can already use Windows Hello to sign in to any site that supports passkeys but in the near future you will be able to sign in to your Microsoft account with a passkey from an Apple or Google device.
The ability to log in to Windows using an Apple Watch, to Google using a Microsoft tablet and to Apple using Android phone is surely a game changer and a step towards ending the fragmentation of identity solutions that leaves the typical user struggling with password managers, sticky notes and mnemonics.
Two decades on from Bill Gates call for smart cards to replace passwords is about to be answered, although the smart cards will be inside mobile phones and laptops and tablets rather than sitting in wallets. As the MIT Technology Review commented recently, these alternatives to passwords are finally winning and it is not before time.