Are Passwords Still Useful?

FIDO Says Look to Authentication Alternatives.

Stop me if you’ve heard this before:

“Your password must be:

  • At least 8 characters—the more characters, the better.
  • A mixture of both uppercase and lowercase letters.
  • A mixture of letters and numbers.
  • Inclusion of at least one special character, e.g., ! @ # ? ]”

We’ve seen these requirements for years now, and we’ve agonized over how to satisfy them over and over. It’s led to all of us trying to remember all your different passwords for various accounts. If you don’t already have a password manager to help with all that, it’s likely made a mess of your brain trying to keep track.

(Pro Tip: if you’re not using a password manager to create and manage random, unique-per-account password values across your various work and personal accounts, you’re making a serious mistake.)

But are passwords even still viable? You might say “unfortunately,” but in March 2022, the Fast Identity Online Alliance (FIDO) published a new white paper advocating for the adoption of their new specifications. They paint a picture of a near-future where passwords are finally a relic of the past.

But that’s a promise we’ve heard before, and obviously, it’s a tall order. In this article, we’ll detail why other authentication methods have yet to overtake passwords as a similar security option. Then we’ll delve into FIDO’s new specifications and how they might finally render passwords obsolete.

Passwords may hold out for a while yet, but after reading, you’ll be more prepared if and when widespread adoption of other methods becomes reality.

Why Are Passwords Still the Default Authentication Method?

We’ve well established how annoying passwords can be, but despite their flaws—especially against modern attack techniques—they remain omnipresent if there’s something to protect.

That’s because other authentication mechanisms have faced challenges with implementation, user adoption, and their own security issues, but why is that?

There’s trouble at both ends of the spectrum—for the highly secure methods and of course, for those that are less so.

  • People haven’t taken to high-security, special use schemes because historically, they’ve made use of complex, expensive hardware like:
    • Smart cards;
    • Hardware tokens providing one-time codes; or
    • Modern USB devices that contain cryptographic material used for authentication.

When that’s your alternative, collectively it’s been easier to opt for a password.

  • But people also still want to be secure even if they don’t like those more complicated methods. The other problem with some of these other consumer-facing authentication mechanisms—namely, apps on mobile phones—is that they operate in a manner that still exposes the user to phishing or social engineering. Bad actors can subvert these methods using SMS messages, app-based one-time passwords (OTPs), or push notifications sent to the phone.

Consumers also typically prefer portable methods—the ones that actually have been accepted have relied on the universality of mobile phones. If you’ve ever lost your mobile phone or replaced it with a new one, you know that it’s a potentially fraught process.

You have to transfer everything over, and it’s easier to just log in rather than dealing with moving underlying cryptographic keys or other authentication methods. Those alternatives are not always intuitive and sometimes can result in the loss of credentials. This sticking point has helped passwords continue to reign as the #1 authentication choice.

How the New FIDO Specifications Seek to Change Authentication

But as we mentioned, that may not be for long.

These new FIDO specifications—along with the related W3C WebAuthn specification—allow for a range of authentication mechanisms, including some for mobile phone-based authenticators to address that portability point:

  • Unlike many existing mobile phone authentication mechanisms, FIDO describes an authenticator that requires your mobile phone to make a Bluetooth connection with the endpoint rather than the user conveying an OTP or responding to a push notification.
    • As detailed in this white paper and other FIDO standards, this minimizes the possibility of a phishing attack, as the holder of the phone must be in proximity to the device for the authentication to work.
  • For those users willing to invest in them, FIDO also supports hardware tokens such as YubiKeys for high-security use cases.
  • Other implementations that FIDO mentions include Apple’s passkeys that store the underlying cryptographic secrets in iCloud.
    • This allows transfers between devices, letting you switch devices and easily recover your passkeys. You can then continue using your device for authentication in ways that don’t add extra steps for recovery.

If adoption of other authenticators has been a problem in the past, the FIDO Alliance claims that’s not the case any longer. They say that the operating systems, mobile devices, and browsers supporting their specifications—as well as WebAuthn—have reached an adoption critical mass on established, everyday platforms such as desktop operating systems, cell phones, and web browsers.

That means sites and applications can now make use of these other authentication mechanisms and no longer need to require passwords as the means of authenticating users.

What is Preventing Change in Authentication?

That said, some troubles remain:

  • Despite the prevalence of mobile phones, FIDO capabilities only exist in the most current tier of operating systems and hardware, so those of you with older devices are left out of these features.
  • The security of FIDO’s scheme also relies on the quality of implementation amongst browsers, operating systems, and the like.
    • Just like advancing tech, attackers aren’t stagnant either. Even if more widespread adoption happens, bad actors will likely shift their focus. As they adjust to the different authenticators, attackers may instead focus on finding vulnerabilities in the implementation of these measures.

That said, the evidence supporting FIDO’s advocacy for methods other than passwords is there.

As perhaps the primary example, in the credit and debit card space, the adoption of chip cards resulted in a significant drop in card-present fraud. (Naturally, it also meant a shift to more card-not-present fraud.) However imperfect, not only does this adoption of chip cards mark an unambiguous gain for security, but it also suggests that a similar adoption of FIDO or similar authentication standards will yield similar gains.

What’s Next for Passwords?

Despite these steps, it remains to be seen whether more widespread adoption of these specifications will take place. Industries such as consumer banking, e-commerce, or social media may not yet support FIDO or WebAuthn within their applications even if their users possess the platforms to use them.

That’s what everything will hinge on—whether or not popular applications will finally become willing to adopt this approach. So while passwords may hang on a little longer, you now understand a little more about the authentication methods that could soon render them a thing of the past.

If you’re interested in learning more about current cybersecurity topics, make sure you read our content on the different aspects. It’s the Wild, Wild West out there, and these articles will help you stay apprised of the latest amidst a changing landscape:

About the Author

Jacob Ansari

Jacob Ansari is the Security Advocate at Schellman, where he leads the firm's security best practices advocacy. Jacob develops and leads educational efforts on security practices, emerging and extant threats, and related industry developments for both internal and external audiences, and regularly represents the firm as an experienced security practitioner, security officer, and industry expert on technical information security matters and leadership in the space. Jacob has also acted as the CISO for the firm and has an extensive history in a client facing role as the technical lead for Schellman’s PCI services. Additionally, Jacob has experience with other Payment Card Industry assessment services, namely Software Security Framework, PA-DSS, P2PE, 3DS, and PIN. Jacob has extensive technical expertise on matters of information security, compliance, application security, and cryptography, and has been performing payment card security assessments since the card brands operated the predecessor standards to PCI DSS. Over the 20 years of his career, Jacob has spoken extensively on security-related matters, trained and mentored assessors, and contributed to groups on emerging standards, advisory bodies, and special interest groups.

More Content by Jacob Ansari
Previous Video
Cyber Resilience - Preparing for Ransomware and Other Possibilities
Cyber Resilience - Preparing for Ransomware and Other Possibilities

Next Article
Financial Institutions Get Proactive Against Cybercrime: The Sheltered Harbor Initiative
Financial Institutions Get Proactive Against Cybercrime: The Sheltered Harbor Initiative

As the cyber landscape grows more complicated, hear from the CEO of Sheltered Harbor regarding their Standa...

Now Providing C5 Examinations

Learn about C5