866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Are Passwords Still Secure? A Look at Other Alternatives Blog Feature

By: Schellman

Print/Save as PDF

Are Passwords Still Secure? A Look at Other Alternatives

Cybersecurity Assessments

FIDO Says Look to Authentication Alternatives.

Stop me if you’ve heard this before:

“Your password must be:

  • At least 8 characters—the more characters, the better.
  • A mixture of both uppercase and lowercase letters.
  • A mixture of letters and numbers.
  • Inclusion of at least one special character, e.g., ! @ # ? ]”

We’ve seen these requirements for years now, and we’ve agonized over how to satisfy them over and over. It’s led to all of us trying to remember all your different passwords for various accounts. If you don’t already have a password manager to help with all that, it’s likely made a mess of your brain trying to keep track.

(Pro Tip: if you’re not using a password manager to create and manage random, unique-per-account password values across your various work and personal accounts, you’re making a serious mistake.)

But are passwords even still viable? You might say “unfortunately,” but in March 2022, the Fast Identity Online Alliance (FIDO) published a new white paper advocating for the adoption of their new specifications. They paint a picture of a near-future where passwords are finally a relic of the past.

But that’s a promise we’ve heard before, and obviously, it’s a tall order. In this article, we’ll detail why other authentication methods have yet to overtake passwords as a similar security option. Then we’ll delve into FIDO’s new specifications and how they might finally render passwords obsolete.

Passwords may hold out for a while yet, but after reading, you’ll be more prepared if and when widespread adoption of other methods becomes reality.

Why Are Passwords Still the Default Authentication Method?

 

We’ve well established how annoying passwords can be, but despite their flaws—especially against modern attack techniques—they remain omnipresent if there’s something to protect.

That’s because other authentication mechanisms have faced challenges with implementation, user adoption, and their own security issues, but why is that?

There’s trouble at both ends of the spectrum—for the highly secure methods and of course, for those that are less so.

  • People haven’t taken to high-security, special use schemes because historically, they’ve made use of complex, expensive hardware like:
    • Smart cards;
    • Hardware tokens providing one-time codes; or
    • Modern USB devices that contain cryptographic material used for authentication.

When that’s your alternative, collectively it’s been easier to opt for a password.

 

  • But people also still want to be secure even if they don’t like those more complicated methods. The other problem with some of these other consumer-facing authentication mechanisms—namely, apps on mobile phones—is that they operate in a manner that still exposes the user to phishing or social engineering. Bad actors can subvert these methods using SMS messages, app-based one-time passwords (OTPs), or push notifications sent to the phone.

Consumers also typically prefer portable methods—the ones that actually have been accepted have relied on the universality of mobile phones. If you’ve ever lost your mobile phone or replaced it with a new one, you know that it’s a potentially fraught process.

You have to transfer everything over, and it’s easier to just log in rather than dealing with moving underlying cryptographic keys or other authentication methods. Those alternatives are not always intuitive and sometimes can result in the loss of credentials. This sticking point has helped passwords continue to reign as the #1 authentication choice.

 

How the New FIDO Specifications Seek to Change Authentication

But as we mentioned, that may not be for long.

These new FIDO specifications—along with the related W3C WebAuthn specification—allow for a range of authentication mechanisms, including some for mobile phone-based authenticators to address that portability point:

  • Unlike many existing mobile phone authentication mechanisms, FIDO describes an authenticator that requires your mobile phone to make a Bluetooth connection with the endpoint rather than the user conveying an OTP or responding to a push notification.
    • As detailed in this white paper and other FIDO standards, this minimizes the possibility of a phishing attack, as the holder of the phone must be in proximity to the device for the authentication to work.
  • For those users willing to invest in them, FIDO also supports hardware tokens such as YubiKeys for high-security use cases.
  • Other implementations that FIDO mentions include Apple’s passkeys that store the underlying cryptographic secrets in iCloud.
    • This allows transfers between devices, letting you switch devices and easily recover your passkeys. You can then continue using your device for authentication in ways that don’t add extra steps for recovery.

If adoption of other authenticators has been a problem in the past, the FIDO Alliance claims that’s not the case any longer. They say that the operating systems, mobile devices, and browsers supporting their specifications—as well as WebAuthn—have reached an adoption critical mass on established, everyday platforms such as desktop operating systems, cell phones, and web browsers.

That means sites and applications can now make use of these other authentication mechanisms and no longer need to require passwords as the means of authenticating users.

What is Preventing Change in Authentication?

That said, some troubles remain:

  • Despite the prevalence of mobile phones, FIDO capabilities only exist in the most current tier of operating systems and hardware, so those of you with older devices are left out of these features.
  • The security of FIDO’s scheme also relies on the quality of implementation amongst browsers, operating systems, and the like.
    • Just like advancing tech, attackers aren’t stagnant either. Even if more widespread adoption happens, bad actors will likely shift their focus. As they adjust to the different authenticators, attackers may instead focus on finding vulnerabilities in the implementation of these measures.

That said, the evidence supporting FIDO’s advocacy for methods other than passwords is there.

 

As perhaps the primary example, in the credit and debit card space, the adoption of chip cards resulted in a significant drop in card-present fraud. (Naturally, it also meant a shift to more card-not-present fraud.) However imperfect, not only does this adoption of chip cards mark an unambiguous gain for security, but it also suggests that a similar adoption of FIDO or similar authentication standards will yield similar gains.

What’s Next for Passwords?

 

Despite these steps, it remains to be seen whether more widespread adoption of these specifications will take place. Industries such as consumer banking, e-commerce, or social media may not yet support FIDO or WebAuthn within their applications even if their users possess the platforms to use them.

That’s what everything will hinge on—whether or not popular applications will finally become willing to adopt this approach. So while passwords may hang on a little longer, you now understand a little more about the authentication methods that could soon render them a thing of the past.

If you’re interested in learning more about current cybersecurity topics, make sure you read our content on the different aspects. It’s the Wild, Wild West out there, and these articles will help you stay apprised of the latest amidst a changing landscape:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.