In July of 2012 the FIDO Alliance (Fast Identity Online) was created to tackle the need for more secure Online authentication; the current status quo of password/username verification is inequitable since it’s pretty easy to hack & not always simple for users to remember multiple credentials for a variety of Sites.
Now, the Alliance is set to alter the standards of authentication by offering a more secure & simpler system, which will replace the reliance on passwords across the board. Its proposal is based on mechanisms that are currently in use in high-security instances, such as government departments & banking institutions. These organizations often rely on a cryptographically enabled smartcard to perform verification & the system is supported by hardware card readers, which would not port well for online use cases. However, FIDO has identified a solution in the form of replacing said smartcard with a device most of us across the globe already own – the smartphone.
The only issues with using a device for authentication are:
- A person may have multiple devices, all of which would need to be synced.
- A person might lose or replace their device, which means that there would need to be back up mechanisms to verify the new device & verify stolen, old or lost devices.
- Systems would need to be in place for a variety of use cases, which include physical verification, say for buying goods in-store as well as Online.
The Alliance offers solutions to all these problems, such as installing the verification mechanism as a standard across all manufactured devices so that multiple devices can be synced for authentication. This would be the responsibility of the Original Equipment Manufacturer (OEM), but would occur based on pre-approved & standardized systems.
Passwordless FIDO uses a device’s biometric scanner (or a master PIN you select) to authenticate you locally without sending any of your data over the internet to a web server.
Options to register new devices & delete old or lost ones would be part of the system as well as a Bluetooth-proximity reader for in-store purchases. All these innovations would be most welcome to consumers who are tired of being the target of hackers & are very weary of attempting to remember multiple passwords.
Currently, the three accepted types of verification available to consumers are:
AAL1 (Authenticator Assurance Level 1)
AAL1 refers to the basic username/password system of verification. This type of authentication is often independently implemented with varying standards of security. Usernames & passwords are stored in a database. (often with associated personal information, such as email addresses, phone numbers & names) The encryption level is not standardized & security is often weak, which means that the information is hackable.
Also, passwords are difficult to remember. The best defenses are scant – use generic email addresses that are not personalized (that is do not use johnsmith@gmail.com). Use password managers & change them regularly.
AAL2
Two-factor authentication, which relies on an OTP (One Time PIN) sent to the user’s phone, usually via SMS, although some use WhatsApp or email. The user must input the PIN correctly on the vendor’s site before they can login. This system has been widely adopted by online banking & by Google.
The problem with this system is that it is vulnerable to phishing attacks – consumers can be hoodwinked into entering the PIN & various other sensitive information on phishing sites set up to look authentic (replicas of the original site with a similar domain)
AAL3
The most secure level, which is reliant on authentication via synced, approved devices or systems that include hardware like smart cards or personal trait systems that include facial & fingerprint recognition. The FIDO Alliance offers this level of security & since they are proposing to use smartphones (mobile devices), the method is set to find widespread adoption.
The most important aspect that users will need to watch is if businesses are ready to trust OEMs, & associated heavyweight tech-players such as Google to implement a system that will result in a passwordless future. However, FIDO is confident that its alternate suggestions to the password will be adopted. It cites Apple’s implementation of Passkeys (their iOS biometrics & iCloud Keychain public keys, which are used for verification purposes) for apps, Passkeys without passwords & the system is working well.
