Skip to content

OPLIN 4Cast #802: Freedom from passwords? Maybe.

Posted in Security

Last updated on May 10, 2022

Are you tired of the OPLIN 4cast and everyone else haranguing you to create good passwords, start using a password manager, and implement multifactor authentication? Well, there are signs that things are about to get better. On World Password Day last week, our operating system overlords at Microsoft, Google, and Apple announced the companies would all be adopting the standard created by the FIDO Alliance. (FIDO stands for “Fast Identity Online.”)

The proposal, in short, is that your computer and your phone will share an encrypted passkey. When you want to log into a website, instead of asking for a password your computer will detect (through Bluetooth) that your phone is nearby, and when you unlock it, the two devices can confirm the passkey. This is more secure than the method you may already be familiar with—receiving an expiring code through text—because your phone, unlocked with your biometrics (fingerprint or face i.d.), will be at the computer where you’re trying to access your account.

We’ve been promised an end to passwords before, so I wouldn’t hold my breath. And of course our public computers won’t make this easy on anybody. Still, the fact that the major tech giants are all agreeing on something could be cause for celebration, right?

  • Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins [FIDO Alliance] “This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.”
  • How Apple, Google, and Microsoft will kill passwords and phishing in one stroke [Ars Technica] “By presenting a facial scan or fingerprint to the device, I’ll be able to log in without having to type a password, which is faster and much more convenient. Equally important, the credential can be stored online so that it’s available when I replace or lose my current phone, solving another problem that has plagued some MFA users—the risk of being locked out of accounts when phones are lost or stolen.”
  • One step closer to a passwordless future [The Keyword] “The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone. To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”
  • Your Phone May Soon Replace Many of Your Passwords [Krebs on Security] “Recent research shows far too many people still reuse or recycle passwords (modifying the same password slightly), which presents an account takeover risk when those credentials eventually get exposed in a data breach. A report in March from cybersecurity firm SpyCloud found 64 percent of users reuse passwords for multiple accounts, and that 70 percent of credentials compromised in previous breaches are still in use.”

From the Ohio Web Library: