Passwords are a good idea in theory. In practice, there are so many things that can go wrong. Password-based authentication is effective if services store passwords securely and if users choose and manage their passwords properly. History shows us that we can’t rely on either party to do the right thing.
The limitations inherent to passwords can be minimized with password managers and two-factor authentication, but these strategies don’t solve the fundamental problems: passwords are inconvenient and prone to being leaked.
Password managers are only as secure as the password practices of the people who use them. Two-factor authentication buys us extra security at the cost of convenience and additional complexity.
Convenient and Secure
The ideal authentication system is convenient, it doesn’t depend on secrets that can be shared between services, and the secrets aren’t stored on servers managed by businesses that have other things on their minds besides security.
That is the goal of FIDO2, the culmination of several years’ work on passwordless authentication systems by the FIDO Alliance. FIDO 2 is an open standard for passwordless authentication based on public key cryptography.
FIDO2 is intended to be a “single gesture” authentication mechanism, making it as easy as possible for users to authenticate with web applications and other services via technology built-in to the devices they use every day.
FIDO2 combines two technologies: the W3C’s Web Authentication specification (WebAuthn), which can be integrated with browsers, and FIDO’s Client-to-client Authenticator Protocol, which allows devices like smartphones and desktop PCs to communicate authentication data locally.
FIDO Is Private
FIDO2 uses the same public key cryptography as SSL. A key pair is generated by the device for each service the user needs to authenticate with. The private key never leaves the device: it is never transmitted over the internet or shared with third-party services.
The public key is stored with the online service. When the user wants to log in, their device is sent a challenge that identifies the service. The user authenticates on their device using its fingerprint scanner or another method. Then the FIDO authenticator signs the challenge using the private key and returns it to the service.
The private key only exists on the registered device and only a signature by that private key can be verified by the public key stored by the service.
FIDO Has Momentum
FIDO2 isn’t the first attempt to create a passwordless login system, but it is the first with widespread industry support. Members of the FIDO Alliance include Google, Microsoft, Facebook, Salesforce, Samsung, PayPal, DropBox, Bank of America, and more, many of whom are using FIDO in production today.
FIDO2 is already integrated into major browsers, including recent versions of Firefox, Google Chrome, and Microsoft Edge. Typically, Apple is lagging behind, but the WebKit team plans to integrate FIDO with Safari in the near future.
Because the FIDO project has produced an open standard, it is straightforward for businesses to integrate FIDO authentication with their web applications and online services. In a few years, we might finally be rid of passwords and the problems they cause.