This post was originally published on 9 May 2022
Original post
Once upon a time, in a galaxy far, far away, passwords and usernames seemed like a good idea for security…
However in today’s connected and hacked world, where people still think it is OK to use “liverpool” or a single very long, very complex password for everything, passwords as our primary security step or as part of multi-factor authentication have passed their use by date.
Last week on “World Password Day” Microsoft, Apple and Google announced a collaboration with the Fast ID Online Alliance (FIDO), to work towards a passwordless world.
This World Password Day consider ditching passwords altogether – Microsoft Security Blog
One step closer to a passwordless future (blog.google)
Apple, Google, and Microsoft commit to expanded support for FIDO standard – Apple (UK)
I have run several posts looking at the possibility of doing away with passwords.
Something to read on a Saturday – no more passwords
More about “no more passwords”
FIDO is an organisation that has been working towards and setting the standards for passwordless authentication since 2012. This graphic, grabbed from their website, simply explains why a world that does not depend on passwords is more secure.
FIDO works using public/private key cryptography to create a link between the online service and the user’s device at the time of registration. When the user returns to the site to log in, the client device is challenged to prove it is in possession of the private key to gain access to the service. This proof of possession, through an app, is usually accomplished through a secure local action such as, a PIN, face, finger print, voice or gesture recognition etc. No password required. The protocols that control these processes are designed to be secure from the ground up, no sharing of information between services, no tracking and no biometric data every leaving the device.
So “getting rid of the one part of MFA that sucks”.
James (see the TechLinked YouTube video below)
I have already enabled this with my personal Microsoft account and the Microsoft Authenticator app on my iPhone 13, using face recognition. We are in the process of training and rewriting our policies to implement this at Octagon and then from there with our clients.
Of course you need a smart phone for this to work and both Google and Apple sell smart phones. That aside it is a good move to reduce our reliance on passwords when operating online.
Update 11 May 2022 – Yahoo Japan makes the effort to go passwordless
It can be done – if the will is there:
Yahoo! Japan wants universal passwordless login • The Register
The company sees this as a way of mitigating phishing email attacks and the issue of users reusing credentials across multiple sites.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Is your password “liverpool”? – Smart Thinking Solutions
Microsoft, Apple, Google step up push to eliminate passwords • The Register
Passwordlessness – Smart Thinking Solutions