Passwords are antiquated and insecure. It’s time to eliminate them altogether. Experts from FIDO explain how to enable authentication without passwords.
The original version of this post was published in Forbes.
Last week it wasn’t just, as has become depressingly common, “another day, another data breach.” It was breaches that generated debates over passwords. Which provided yet more evidence that it is past time to make them extinct—since they make all of us users an endangered species.
The first came courtesy of Quora, probably the most popular Q&A site on the web. The company posted a notice of a “compromise” that affected more than 100 million registered users—an estimated third of its monthly user base.
As CEO Adam D’Angelo put it, “We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party.”
The other came from Citrix Systems, which forced a password reset for users of its ShareFile content collaboration service to head off what company CISO Stan Black said was not a breach of ShareFile itself, but evidence of “credential stuffing,” where hackers who have stolen emails or passwords through other breaches try to use those credentials on other sites.
Which should never happen, of course, since we are all told constantly never to use the same password for multiple sites. But, as we all know, it does happen since just about everybody does exactly that.
And it illustrates once again what numerous security experts have been saying for years: Passwords are a lousy—really lousy—way to secure anything online, especially when there are now alternatives that are much better and yes, even easier.
In the case of the Quora breach, much of the speculation was about the level of encryption for the passwords.
Multiple outlets reported that D’Angelo had first written in his blog post that the passwords were simply “hashed with a salt that varies for each user,” but after critics pointed out that a simple hash wouldn’t offer much protection, D’Angelo’s revised post said the passwords had been “hashed using bcrypt,” which would make cracking them much more difficult.
Still, D’Angelo noted that “it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”
In the case of Citrix, Black’s declaration that “We moved quickly and decisively to end (a credential-stuffing attack) for the benefit of our users,” along with a notice that the company will be “incorporating a regularly scheduled forced password reset into our normal operating procedures,” got some major blowback from users who weren’t feeling the benefit.
They noted that it is no longer considered best practice to change passwords for no reason other than that a few months have gone by.
In the comments section of Black’s post, one user wrote, “My password is securely stored in LastPass. It’s a 16-character indecipherable mass of gibberish that is unique to this site. Don’t punish me for the bad security practices of other users by forcing me to reset it on a regular basis.”
“Not to mention, forced password resets were deprecated as a best practice by NIST over two years ago.”
Indeed, that advice has been coming from more than NIST (National Institute of Standards and Technology). In March 2016, Lorrie Cranor, then chief technologist of the Federal Trade Commission (FTC), declared in a blog post that it was “time to rethink mandatory password changes.”
And security guru, author, blogger, and CTO of IBM Resilient Systems Bruce Schneier took extreme issue with a recent column in USA Today that recommended changing passwords every six months.
“No, no no—a thousand times no,” he wrote on his blog.
The reason? As experts have been saying for years, when people are forced to change their passwords regularly, they tend to use weaker ones. They make small changes to the old ones, which ends up making security weaker, not stronger.
But such squabbles wouldn’t be necessary if we weren’t using an authentication method that is demonstrably broken. Which is why numerous experts have called for eliminating passwords—the FIDO (Fast IDentity Online) Alliance has been promoting that since 2012.
Phil Dunkelberger, CEO of Nok Nok Labs and a FIDO member, has said more than once that the username and password paradigm “was never designed for, and is inherently incapable of addressing, the use cases of modern society.”
Not just for technological reasons, of course. Users frequently make it ridiculously easy for attackers. As Nabil Hannan, managing principal at Synopsys, put it, passwords need to be obsolete because “they tend to be pretty weak or predictable, and people have a tendency to reuse the same password across different applications.”
And Brett McDowell, FIDO’s executive director, said even “strong passwords”—a phrase he labels an oxymoron—are no better, because “as long as the password is the key to get us into our accounts, users will be tricked into giving that password to the wrong party.”
Indeed, of the three most common authentication factors—something you know, something you have, and something you are—the weakest is something you know, since an effective phishing attack can trick a user into giving it away.
McDowell said even one-time passcodes (OTP) are failing “because they can simply be given to a remote attacker as easily as a password.”
He said there is now a move to a fourth factor—behavioral authentication or “something you do”—because many companies “know they have to protect themselves from users who already have the correct passwords to get into their accounts.”
The fundamental problem, he said, is an authentication system based on “shared secrets,” where things like passwords are known by both parties of a transaction.
The solution, he said, is a system in which a user’s device “creates and uses cryptographic private keys as your new account credentials and securely stores them to your personal device in the same way most smartphones now securely store your fingerprint data.”
That, he said, is the model promoted by both NIST and FIDO.
Of course, another reality (which McDowell acknowledges) is that users will reject better security if it costs them even a few seconds of extra time.
“While hard numbers are hard to come by, anecdotally most services that offer 2FA using OTPs as a second layer of protection will be doing incredibly well if they get 10% of their users to opt-in,” he said.
But he said the campaign to eliminate passwords has taken that into account. He said the cryptographic key model is both easier and faster than a password. “Users of FIDO-enabled devices simply verify themselves to their personal device and then that device cryptographically signs authentication challenges from the online application,” he said, adding that the user can do that with a single gesture—a fingerprint, looking at a camera, or speaking a passphrase—obviously much easier than tapping a password into a tiny device.
Another reality, however, is that even the best authentication system in the world won’t gain much traction unless the major online players adopt it. Which may explain why, six years since FIDO launched, passwords still prevail.
But that is, finally, starting to change. McDowell said the latest FIDO standards, known collectively as FIDO2, “were specifically designed to be built directly into operating systems and web browsers.”
And he said that is happening—they are already built into the latest versions of Windows 10, Google Play Services on Android, and the Chrome, Firefox, and Edge web browsers.
And as reported just last week, Apple has shipped FIDO2 support in its latest developer preview version of the Safari web browser.
Passwords likely won’t disappear entirely for a long time. But McDowell says he sees a near future where users will be required to enter a password “about as often as we encounter public telephone booths in public spaces.”
That would be welcome, and long overdue.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.