Passwords show many problems in computer security. “Passwords are a prime target for attacks. Yet it is the most important layer of security in our digital lives.“, explained Vasu Jakkal, Corporate Vice President for Security, Compliance and Identity at Microsoft, during an interview with L’Usine Digitale. Indeed, a qualified attack technique, called “brute force”, consists of try all possible combinations of characters until you find the right password.
For Google, Microsoft and Apple, the solution is not to reset passwords or change them more regularly, but to remove them completely and replace them with new, more robust technologies. On World Password Day on May 5, the three companies announced that they are committed to “extend support for the FIDO standard“.
Founded by the “Fast IDentity Online” industry alliance, it is a full range of authentication technologies – such as biometrics (fingerprint, iris, facial and voice recognition) – as well as existing communications solutions to reduce reliance on passwords. FIDO authentication standards are based on public key cryptography and are designed to provide a secure and easy login experience.
Two technologies are now certified by the alliance. The Client-to-Authenticator Protocol (CTAP) allows users to log in without a password by using a dongle or their mobile phone to communicate authentication information via USB, Bluetooth or NFC (Near Field Communication) to the a person’s device. WebAuthn, on the other hand, allows online services to use FIDO authentication via a standard web API (application programming interface), which can be integrated into browsers and allows devices to communicate.
FIDO technologies for everyone
In practice, the partners are announcing two new features that will be implemented over the coming year. Users could be authenticated via FIDO on all their devices from the moment they are logged into their account, by authenticating on only one of the devices. They could also use for example their telephone to authenticate themselves on their computer, which is the operating system or the browser.
Note that these three companies have suffered for a long time to remove passwords. This is how since September 2021, Microsoft has allowed users to rely on a biometric identification, a security key or an SMS verification code to access all of their accounts.