For years, many organisations – and their users – have
struggled with the challenge of password management. The technology industry
has toiled on this problem by trying to remove the need to remember passwords
at all. Recent developments suggest we might finally be reaching a (finger)
At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices
running Android 7.0 or later can provide password-less logins in their browsers.
To clarify, the FIDO2 authentication standard is sometimes called password-less
web authentication. Strictly speaking, that’s a slightly misleading name
because people still need to authenticate
to their devices a PIN, or a using a biometric identifier like a fingerprint.
It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’
seems to have caught the imagination.
that web developers can now make their sites work with FIDO2, which would mean
people can log in to their online accounts on their phones without a password. This
feature will be available to an estimated
one billion Android devices, so it’s potentially a significant milestone on the
road to a password-less future. Last November, Microsoft announced
password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s
option requires using the Edge browser on Windows 10 1809 build. So, the true
number of users is likely to be far lower than the 800 million Microsoft had
been promising. But this is just the latest place where Microsoft has inserted
FIDO technology into its products.
It’s not what you know
I spoke to Neha Thethi, BH Consulting’s senior
information security analyst, who gave her reaction to this development. “Through
this standard, FIDO and Google pave way for users to authenticate primarily using
‘something they have’ – the phone – rather than ‘something they know’ – the password. While a fingerprint or PIN
would typically be required to unlock the device itself, no shared secret or
private key is transferred over the network or stored with the website, as it is
in case of a password. Only a public key is exchanged between the user and the
From the perspective of improving security, Google’s
adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises
that we’ve seen in past few years is because of leaked passwords, on the likes
of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned
website gives a sense of the scale of this problem. By that measure, going
password-less for logging in to online accounts will definitely decrease the
attack surface significantly,” she said.
“The technology that enables this ease of authentication is
public key cryptography, and it has been around since the 1970s. The industry has
recognised this problem of shared secrets for a long time now. Personally, I welcome
this solution to quickly and securely log in to online accounts. It might not
be bulletproof, but it takes an onerous task of remembering passwords away from
individuals,” she said.
Don’t try to cache me
Organisations have been using passwords for a long time to
log into systems that store their confidential or sensitive information.
However, even today, many of these organisations don’t have a systematic way of
managing passwords for their staff. If an organisation or business wants to
become certified to the ISO 27001 security standard, for example, they will
need to put in place measures in the form of education, process and technology,
to ensure secure storage and use of passwords. Otherwise, you tend to see less
than ideal user behaviour like storing passwords on a sticky note or in the web
browser cache. “I discourage clients from storing passwords in the browser cache
because if their machine gets hacked, the attacker will have access to all that
information,” said Neha.
That’s not to criticise users, she emphasised. “If an
organisation is not facilitating staff with a password management tool, they
will find the means. They try the best they can, but ultimately they want to
get on with their work.”
The credential conundrum
The security industry has struggled with the problem of
access and authentication for years. It hasn’t helped by shifting the burden
onto the people least qualified to do something about it. Most people aren’t
security experts, and it’s unfair to expect them to be. Many of us struggle to
remember our own phone numbers, let alone a complex password. Yet some
companies force their employees to change their passwords regularly. What
happens next is the law of unintended consequences in action. People choose a
really simple password, or one that barely changes from the one they’d been
For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.
Poor password advice
Bill Burr, the man who literally wrote the book on
passwords for NIST, has since walked back on his own advice. In 2017, he told
the Wall Street Journal, “much of
what I did I now regret”. He added: “In the end, it was probably too
complicated for a lot of folks to understand very well, and the truth is, it
was barking up the wrong tree”. NIST has since updated its password advice, and
you can find the revised recommendations here.
As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.
Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!