FIDO Alliance says it has finally killed the password

There's a new proposal on eliminating passwords, but it relies on putting a lot of security eggs into OEM security baskets. 

The FIDO Alliance has been trying to eliminate passwords since its inception in 2012. Ten years on it has yet to see that dream realized but the organization said it has finally come up with a mechanism that will, "for the first time be able to replace passwords as the dominant form of authentication on the internet."

FIDO has a long history of authentication innovation, being responsible for the USB hardware keys that were everywhere for a while (and are still used in many secure settings), as well as being part of the team (with W3C) that published the WebAuthn security specification.

Unfortunately, security implementations with extra bits (like physical keys) break what FIDO said is a key rule in the world of consumer products: "It has to 'just work' without requiring additional devices or inconveniences," the paper said. That goes for enterprise solutions as well – users won't take well to anything that makes their jobs more cumbersome.

It's to that end that FIDO announced, in partnership with W3C, a new version of WebAuthn that addresses the chains keeping the world bound to passwords.

FIDO's latest vision for passwordless

FIDO's new solution to the password problem has been staring us in the face, or rather we've been staring at it, for years: our smartphones. 

"A smartphone is something that end-users typically already have. Virtually all consumer-space two-factor authentication mechanisms today already make use of the user's smartphone," FIDO said. 

The alliance also pointed out that existing multi-factor security software is prone to phishing. One-time passwords can be entered into malicious sites, and login prompts don't necessarily distinguish between legitimate and fake sites. Ergo, we've gotta get rid of passwords altogether.

The smartphone's role in all of this is key, which means two things, according to FIDO. It needs to be a roaming authenticator, and the cryptographic identity bound to a particular device needs to be able to be relocated without requiring a password to do so. 

• Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines
• Password killer FIDO2 comes bounding into Azure Active Directory hybrid environments
• GitHub upgrades two-factor authentication with WebAuthn support
• Google shores up G Suite against hapless users in the enterprise: App whitelist, physical security keys, and more

This framework for passwordless authentication relies heavily on mobile devices, and thus also on the security of the underlying OS. That's by design, FIDO said. 

"This shift from letting every service fend for themselves with their own password-based authentication system, to relying on the higher security of the platforms' authentication mechanisms, is how we can meaningfully reduce the internet's over-reliance on passwords at a massive scale," FIDO said. 

The second component of the proposal, which would turn devices into roaming authenticators, requires Bluetooth, which would be used as a proximity logon protocol. This should come as no surprise to anyone familiar with FIDO's previous work.

Bluetooth under this proposal would be used for both proximity-based authentication and to authenticate a new device, eliminating the need for passwords when switching to a new smartphone. 

FIDO is putting your security in OEM hands

FIDO makes clear that the whitepaper detailing its proposal is not a change in its standards. Rather, "it is a change we expect authenticator vendors to make in their authenticator implementation," FIDO said. 

The paper acknowledges that FIDO's proposal wouldn't necessarily boost security to AAL3 levels, but said it would still be better than using plain passwords of phishable second factors. That may be the case, but a key question remains: will businesses be OK with trusting their security to an OEM?

FIDO cites Apple's adoption of "Passkeys," which use iOS biometrics and iCloud Keychain public keys to verify identities, as one example of its proposal in action. For supported apps, Passkeys are able to authenticate users without a password of any kind, not even one that iOS autofills in the background.

Time will tell if enterprises are willing to trust in Apple, Samsung, Microsoft, and the rest of Big Tech to be the ultimate arbiters of their organization's credentials. ®