Password systems have been used for many years because they were among the earliest and easiest to implement security systems. Unfortunately, as time has passed, these mechanisms, especially single-password systems, have proven inconvenient and highly vulnerable.
This is one of the reasons why the Fast Identity Online Alliance, or FIDO, has moved toward implementing password-free systems like biometrics. This, however, has presented its own set of challenges. More initiatives are now being taken to help overcome these barriers.
The Phone As Lock & Key
One of the challenges to password-free systems has been the inconvenience some experience over needing multiple authentication mechanisms for multiple devices. A password—even if this is ill-advised—can be applied to numerous devices and accounts. In contrast, some password-free mechanisms require peripherals like USB keys that are specific to one device and thus may require multiple peripherals for multiple devices, increasing the challenge and inconvenience of using them.
One approach to streamline this is to have a single device, such as a smartphone, act as a security token for multiple devices. So using the password-free system on a smartphone would grant access to a desktop computer, or a laptop, without needing to log separately into that device.
Another approach to make the experience more convenient and seamless is to assign a “private key” to multiple devices. This would mean that a user could use a smartphone, a PC log-in, or a physical USB key or token to authenticate password-free security requirements. Any of these devices would be accepted rather than requiring a specific token or device for one particular account.
These approaches make it faster and easier to use password-free systems, helping to wean users away from more traditional, vulnerable, and less convenient password-based security measures. This diminishes the impact of losing a specific phone or USB security token from granting rightful users access to their data.
Working Toward The Future
However, there are still issues that need to be considered moving forward. Larger tech companies such as Google or Microsoft use their own online “cloud” architecture to synchronize data across multiple devices. While this is convenient, the FIDO alliance must work closely with these tech and service providers to ensure that the stantards-based FIDO-enabled security on such cloud synchronization systems is strong enough to protect private data and access from theft, surveillance, or intrusion. It’s always a balancing act between security and user experience.
If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.