Dump your passwords, enhance your safety
They're tough to recall, hackers exploit their flaws and fix often bring their own problems. Dashlane, LastPass, 1Password and other password managers create strong and special passwords for each account you have, but the program is complex. Services from Google, Facebook and Apple permit you to use your passwords for their services in other websites, but you need to give them even more power over your life online. Two-factor authentication, which takes another passcode sent by text message or retrieved from a unique app every time you log in, boosts safety radically but may nevertheless be defeated.
A significant change, however, could eliminate passwords altogether. The technology, called FIDO, overhauls the log-in procedure, combining your telephone; face and fingerprint recognition; and new gadgets known as hardware security keys. If it delivers on its promise, FIDO will create cringe-worthy passwords such as"123456″ relics of a bygone era.
"A password is something you know. A device is something you've got. Biometrics is something you're," said Stephen Cox, chief security architect of SecureAuth. "We are moving to something you have and something you're."
Password Problems
This week, CNET is looking at changes that'll help free us from password problems. Such changes are an enormous effort which will affect you every time you check email, transfer money or log into your employer's network. We are going to look at strategies to authentication that dispense with passwords, the shortcomings of two-factor authentication and how to use password managers more efficiently. We'll also offer some updated password-picking information since deeper password enhancements will take years to get there.
Passwords are awful
Computer passwords have been fraught since at least the 1960s. Allan Scherr, an MIT researcher, ferreted out the passwords of other investigators so he could use their accounts to keep his"larceny of machine time" for his own project. In the 1980s, the University of California, Berkeley astrophysicist Clifford Stohl monitored a German hacker across government and military computers left insecure because administrators did not change default passwords.
The character of passwords prompts us to be idle. Long, complicated passwords, those which are the most secure, will be the toughest for us to make, remember and type. So a lot of people default to recycling them.
That's a massive problem since hackers already have lots of our passwords. They Are I Pwned service comprises 555 million passwords exposed by data breaches. Hackers automate attacks by"credential stuffing," trying a long list of stolen usernames and passwords to locate ones that work.
FIDO fixes
Fast Identity Online, better called FIDO, addresses these problems. It standardizes the use of hardware devices, such as security keys, for authentication. Yubico, Google, Microsoft, PayPal and Nok Nok Labs, among others, are growing FIDO.
Security keys are electronic equivalents of house keys. You plug them into a USB or Lightning interface, allowing one digital security key to work securely with many sites and apps. The key can dovetail with biometric authentication such as Apple's Face ID or Windows Hello. Some keys may be used wirelessly.
Fans are convinced to create bold projections about its spread. "Over the next five decades, every significant consumer internet service is going to have a passwordless alternative," says Andrew Shikiar, executive director of the FIDO Alliance, an industry consortium. "The bulk of these will use FIDO."
As it works only with valid sites, FIDO stops phishing, a sort of security attack in which hackers use a fraudulent email and a fake website in order to con you into giving up your log-in information. FIDO also alleviates company worries about catastrophic data breaches, especially of sensitive client information like account credentials. Stolen passwords will not be enough for a hacker to use to log on, and when FIDO catches on, businesses may not require passwords to begin with.
Signing on with no password
Here is one way FIDO-based sign-on works without passwords. You'll go to a web site login page with your notebook, type in your username, plug in your security key, tap a button and then use the notebook's biometric authentication, such as Apple's Touch ID or Windows Hello.
Conveniently, you will also have the ability to use your phone as a security key. Type in your username, receive a prompt on your phone, unlock it, then approve yourself with its biometric authentication system. If you are using your notebook, the phone communicates over Bluetooth.
FIDO supports the protection given by multifactor authentication, which requires you to establish your log-in credentials in at least two ways.
How FIDO authentication works
Your first experience with FIDO probably will not seem much different than two-factor authentication. You will first type a conventional password, then plugin or connect a FIDO hardware security key.