Is it time to mark the passing of the password?
Don’t hang the crepe and black bunting just yet. But then again, the password’s breathing and pulse seem to be … perhaps a bit labored and slowed.
Last week, the FIDO Alliance and the World Wide Web Consortium announced the launch of Web Authentication (WebAuthn), billed as a password-free browser.
Standards bodies, then, are coming together to offer a standard protocol to hasten logins without using passwords.
A few heavyweights have signed on, and perhaps you’ve heard of them: Microsoft, Google and Mozilla. Through WebAuthn, the announcement from last week stated, a standard web API can be incorporated into browsers and other platform infrastructure, with the end result that users can authenticate themselves across websites and the hardware they use to navigate those sites — from mobile devices to laptops.
In an example proffered by FIDO and WebAuthn, when users work from a laptop and encounter a website that requires a login, they are sent a prompt via WebAuthn to check their phones — and with a tap on their phones … presto, login commences.
In an interview with Karen Webster, Brett McDowell, executive director of the FIDO Alliance, said this is the beginning of what might be a sea change in authentication.
“I see a long roadmap of FIDO authentication becoming the new normal for all of our online login requirements,” he said, eyeing the fact that Firefox, Edge and Chrome are on board with supporting the user authentication framework that comes in tandem with FIDO2.
He also told Webster that Apple’s Safari web team has also recently joined the web authentication working group. “This bodes well for their inclusion as a technology in the future,” he said.
The roadmap itself?
“Step one is let FIDO be a new option. Then over time, when people start to take that as a normal experience, we will start to see companies that are especially concerned about fraud and security” and follow in the early adopters’ footsteps. Phase two, he continued, would see case studies published, along with the addition of more services — limiting accounts to only physical FIDO authenticators,” offered McDowell. And then there would be a third phase, he said, which would involve opting to limit one’s account only to physical authenticators. Think biometrics, from iris scans to fingerprint scans.
“I don’t know how long it’s going to take before we get there,” he said of that multi-phase roadmap, “but we have a pretty clear path to getting there even if it does take five to 10 years. FIDO enables choice and that is where this is going. You are going to see more and more choice, because not everyone feels the same way about what safe and easy means for them.”
In terms of mechanics, he noted that the server has to be able to process the FIDO messages while an application does need to be able to add FIDO to its application server. The authenticator itself? McDowell doesn’t think of it as a widget but as a capability that a device has. “What’s important technologically about that FIDO authenticator is that there’s a private key — a sign of privacy that’s created by my device and never leaves my device.”
As has been noted in this space before, standards are important and have been lacking in the digital world. ‘The ultimate goal, said McDowell, is to recognize that it is the same (authentic) user trying to access a site, and it is the same user device they originally registered with. A standard, of course, simplifies process and allows innovators to work with a foundation upon which to build.
“Solving the world’s password problem is too big of a challenge for any one company or even any one country to solve on [its] own,” he told Webster. “That’s why we set out to develop open standards, a common interoperable technology platform [where] everyone can use any FIDO compliant device with any FIDO compliant app or website”
In moving to standardization in payments, he told Webster, FIDO is in partnership with EMVCo, and that partnership is expanding to include 3-D Secure messages, which allows for queries of a FIDO authentication event downstream before payments are performed.
“It’s really a Holy Grail opportunity for online commerce” he said, “that has been elusive to our industry for so long. I have a more secure proof of the cardholder being present in [a] transaction than any previous security method. And I am able to package that not only in a better user experience but in a user experience that that customer wants to have.”