When can we say goodbye to passwords?
- The FIDO2 standard is designed to replace password-based systems
- Microsoft, Dropbox, and Google have already incorporated FIDO2 to different degrees
Are you poor at remembering passwords and hate entering them to log into websites all the time You are not the only one Very soon things will change with the
On February 25, Google introduced a new feature for Android that could have huge implications for our online security. The company announced that all Android devices running in version 7.0 and above are now certified by FIDO2 for login without a password. Overnight, millions of Android users around the world suddenly found themselves with a security key in their pocket. That security key has the potential that one day the passwords, and all the problems and vulnerabilities that accompany them, are a thing of the past.
Passwords are the main system that keeps our digital lives safe, but increasingly they are not up to the task. Most people reuse an endless series of easy-to-guess phrases, and the underlying technology is also vulnerable to a wide range of attacks. All a hacker should do is convince him that his website or email is not correct from his bank or other online services, and can trick him into revealing his password (a phishing attack) and gain access to your account.
But that system could change under the FIDO2 standard. Instead of having to write a string of characters (or, let's face it, a browser or a password manager write it for you), it is authenticated through a security key or a biometric device such as a fingerprint reader. Previously, most of these keys were USB sticks or Bluetooth dongles, but after Google's announcement, your Android phone can perform the same authentication as a security key. The complex handshake between the security key and the device means that there is nothing to remember and nothing useful that can be intercepted.
The standard has got the potential to replace passwords completely, and Google is actively working toward that future. "The world that we'd love to see is one where you don't even have to do a traditional authentication with, say, a password," Steven Soneff, a product manager at Google told. If you're already signed in to your phone, then this could be used to "bootstrap" the next device that you want to sign in to your Google account, "and you never even had to deal with the username password for your Google account itself."
In order to offer this kind of login, websites use a part of the FIDO2 standard called WebAuthn, an open protocol that was approved by the World Wide Web Consortium (W3C) on March 6th.
But most organisations aren't yet ready to replace passwords entirely. Soneff says Google goal is an entirely password-free future and is working on it, but the tech giant was unwilling to say when this functionality might be rolled out.
Dropbox said that it believes "enabling WebAuthn for two-step verification strikes the right balance for most users right now." When asked for comment, the company's director of security, Rajan Kapoor, told, "We hope that passwords will one day no longer be the only, or even primary, option for logging in." But, he added, "There are a number of issues around usability and adoption that need to be resolved before we'll see passwords replaced."
"User habits and market forces will make the password a novelty, but it'll still be a supported novelty for a long time," McDowell says. "Over time, market forces will make the passwordless and less interesting, less viable, and less effective."