Skip to main content

When can we finally get rid of passwords?

When can we finally get rid of passwords?

/

The tech exists to replace them, but adoption is lagging behind

Share this story

death of the password

On February 25th, Google introduced a new feature to Android that could have huge implications for our online security. The company announced that all Android devices running on version 7.0 and higher are now FIDO2 certified for password-free logins. Overnight, millions of Android users worldwide suddenly found themselves with a security key in their pocket. That security key has the potential to one day make passwords, and all of their accompanying problems and vulnerabilities, a thing of the past.

Passwords are the main system that keeps our digital lives secure, but they’re increasingly not up to the task. Most people reuse an endless series of easy-to-guess phrases, and the underlying technology is also vulnerable to a wide range of attacks. All a hacker needs to do is convince you that their dodgy website or email is from your bank or other online service, and they can trick you into revealing your password (a so-called “phishing” attack) and gain entry to your account.

The FIDO2 standard is designed to replace password-based systems

But that system could change under the FIDO2 standard. Rather than having to type in a string of characters (or, let’s face it, have a browser or password manager type it in for you), you authenticate through a security key or a biometric device like a fingerprint reader. Previously, the majority of these keys were USB sticks or Bluetooth dongles, but following Google’s announcement, your Android phone can perform the same authentication as a security key. The complex handshake between the security key and device means there’s nothing you need to remember and nothing useful that can be intercepted.

The standard has the potential to replace passwords entirely, and Google is actively working toward that future. “The world that we’d love to see is one where you don’t even have to do a traditional authentication with, say, a password,” Steven Soneff, a product manager at Google, tells The Verge. If you’re already signed in to your phone, then this could be used to “bootstrap” the next device that you want to sign in to your Google account, “and you never even had to deal with the username password for your Google account itself.”

In order to offer this kind of login, websites use a part of the FIDO2 standard called WebAuthn, an open protocol that was approved by the World Wide Web Consortium (W3C) at the beginning of March. There is a small but growing list of sites that have done so: Dropbox added support last May, Microsoft followed in December, and Google supports WebAuthn as of April 10th. In order to log in using this standard, your browser also needs to support WebAuthn; Chrome, Edge, Firefox, and Safari have all begun to do so.

Microsoft, Dropbox, and Google have already integrated FIDO2 to varying degrees

So far, however, only one of these sites has actually used the FIDO2 standard to replace the password entirely. Microsoft’s integration lets you use either Windows Hello or a physical security key as the only thing needed to unlock your account. Google and Dropbox, meanwhile, use WebAuthn as an additional layer of security alongside your traditional password, much like a code-generating authentication app on your phone. That’s not necessarily a bad thing. WebAuthn is still a much more secure way of offering this second factor of authentication since it can’t be phished the way six-digit login codes can. But it’s still falling short of the full potential of the spec.

But most companies aren’t yet ready to replace passwords entirely. Soneff says that an entirely password-free future is the goal Google is working toward, but the company was unwilling to say when this functionality might be rolled out.

When Dropbox first announced support for WebAuthn last year, it said that it believes “enabling WebAuthn for two-step verification strikes the right balance for most users right now.” When asked for comment for this piece, the company’s director of security, Rajan Kapoor, said, “We hope that passwords will one day no longer be the only, or even primary, option for logging in.” But, he added, “there are a number of issues around usability and adoption that need to be resolved before we’ll see passwords replaced.”

“Enabling WebAuthn for two-step verification strikes the right balance for most users right now.”

With every modern Android device gaining FIDO2 certification, Dropbox’s complaint about the adoption levels of the standard looks like less of an issue. However, there’s still work to be done addressing its usability. For example, what happens if you lose your authentication device? This recovery mechanism is a tricky problem to solve, according to Soneff, and Google is looking at a number of ways of handling it. “The recovery mechanism is often the weakest link and where attackers will find their way in,” Soneff says, adding that this will be a key problem to solve in order to handle recovery at scale.

There’s also the iPhone problem. FIDO2 authentication has no hope of going mainstream unless Apple’s phones can be used as security keys alongside their Android counterparts. Yes, websites could technically ask iPhone users to use a separate hardware security key like a Yubico USB device, but Soneff thinks that the high barrier to entry of having to buy specialized hardware means that this kind of security key is unlikely to be used by anyone outside of enterprise users.

There is evidence that Apple is interested in moving beyond the password. The company already allows you to use your Apple Watch to log in to your Mac, and there are rumors that this functionality might be set to expand in the future. Apple clearly knows that passwords are flawed and is thinking about replacing them. But so far, it’s been content to do so within its own walled ecosystem rather than by embracing an industry-wide standard like FIDO2.

“Certification is optional.”

When I asked the FIDO Alliance’s Brett McDowell about the possibility of Apple having its devices become FIDO2 certified, he refused to comment. He did say that adding FIDO2 functionality doesn’t actually require certification. It’s an open standard, after all. He says certification is an “opportunity” for vendors to make sure their product will interoperate with other products in the market and conform properly to the standard. Otherwise, “certification is optional.”

But even when all of the work is complete on the technology itself, the password is unlikely to disappear entirely. McDowell tells me that he thinks passwords will continue to exist alongside FIDO2 authentication for “a considerable period of time,” similar to how most phones now allow you to use a PIN as an alternative to biometric security. You might use your fingerprint to log in 99 percent of the time, but your PIN is always available if you need it.

“User habits and market forces will make the password a novelty, but it’ll still be a supported novelty for a long time,” McDowell says. “Over time, market forces will make the password less and less interesting, less viable, and less effective.”