Get rid of passwords: As we do more and more on and with the internet, the number of passwords we have to keep is increasing at a rapid pace. We have accounts with video streaming services smart home platforms and operating systems. Now you can do your best to remember all those accounts and associated passwords, but you can also use (and invest in) a good password manager. While the login process has become easier over time, and managers take the work off their hands, it can be easier than that.
Get rid of passwords
Why don’t we get rid of passwords in general? That sounds like a tight plan and something big tech companies like Microsoft, Apple and Google can do working on now. The intention is that we will log in password-free on all kinds of platforms within the next year; think of mobile, desktop and browser systems. If we assume the three companies mentioned, then this applies in any case to android and iOS. Windows and macOS and of course the parties’ three browsers: Chrome, Edge and Safari.
How exactly does this work? The idea is now that the smartphone serves as a general means of authentication, that’s how google explains† When your smartphone is unlocked, you can log in directly to websites, apps and other digital services. It does not matter in which way you unlock your phone: whether that is with a PIN code, swipe gesture or fingerprint scanner. As a user you notice how easy it is to start using this system, but what exactly happens behind the scenes?
The phone you use creates a unique cryptographic token called a private key (or passkey). That key is shared across apps, sites, and services, letting both parties know who they’re dealing with. This allows you to log in securely with all kinds of providers, while you don’t have to do much yourself. The system is somewhat like Google’s Smart Lock. This allows you to log in to Netflix on Android TV at lightning speed, for example. Google must then be able to find your login details on your Google account.
Safe for everyone
The new system, where passwords are unnecessary, must be safe for everyone. Because the login process is connected to a physical device. This makes it more difficult for hackers and people who carry out phishing attacks; after all, they can’t enter accounts without accessing your smartphone. You can compare this system with logging in using two-step verification. Even then, malicious parties will not just enter your account without being in possession of your smartphone or a safe USB device.
In the future, it does not matter how and where you use this new system. For example, you can log in within the Edge browser on macOS while using an Android phone. This is because the passwordless login is partly made possible by FIDO. FIDO stands for Fast Identity Online and is already often used to offer secure, online login. The unique private key that a phone creates is created and remembered by FIDO, then shared with services.
This happens – of course – only when the phone is unlocked. The great thing about this system is that you can effortlessly transfer the private data to other devices, since they are linked to your online accounts. So if you have a new smartphone, you can transfer everything in one go (just like you would do now with a password manager). In addition, it is nice to know that you can also retrieve the data from the cloud if your smartphone is lost or stolen. Let’s hope this really heralds the end of the password.
Fast Identity Online
Since we will encounter the term FIDO more often in the future, it is useful to give a brief explanation of what it is exactly. FIDO is a security specification that aims to provide better authentication. The system is being developed and managed by the non-profit organization FIDO Alliance, which aims to standardize such options. And this on two levels, namely for the end user and the person responsible for the protocol. This way the different layers work well together.
FIDO offers support for two-step verification and public key cryptography. Unlike password databases, FIDO stores personal identification information (PII), such as biometrics, locally on the user’s device. This way, that information can be better protected. Furthermore, the alliance makes work very easy for developers who use standard APIs (developer tools). This allows them to effortlessly implement all resources and measures.
FIDO supports two major protocols, namely Universal Authentication Framework (UAF) and Universal Second Factor (U2F). With the first protocol, the user’s device creates a new key pair when registering with an online service. The device then keeps the private key, while the public key goes to the service or app. When you then try to log in to that service, both parties put the key next to each other to check whether everything is still correct.
If that is the case – and you have unlocked the device with your personal data – you can log in. In short, U2F is two-step verification. You then log in using a second device that has NFC or a USB security key. By using the extra hardware while logging in, you prove that you are the person who owns an account. Again, there are private and public keys, which are compared when you try to access an online account.