Will FIDO passwordless authentication save cyber security?

A digital padlock representing security
(Image credit: Shutterstock)

Passwords happen to be the most commonly used method of authentication for applications and websites alike. Passwords, however, are also deemed by many to be highly insecure and prone to information security (InfoSec) risks like hacking and phishing attacks.

This risk is heightened considerably when users recycle the same username-password combination, which is true for 21% of people when creating a new account, according to statista.com. Alarmingly, research also published last year suggested 90% of IT decision makers reused their passwords. There are, meanwhile, a vast number of highly common passwords used across the internet, which can be easily cracked by cyber criminals. This isn’t to mention the spectre of historic data breaches, through which hackers obtain credentials and attempt credential stuffing attacks to gain access to user accounts.

In each of these scenarios, passwordless authentication can prove to be a turning point for InfoSec. One of the leading players in the field is the FIDO Alliance, which has combined with a handful of industry giants to implement a standardised form of passwordless authentication for the first time across the business realm.

What does the FIDO Alliance propose?

“Our recent white paper ‘How FIDO Addresses a Full Range of Use Cases’ sets out important and evolutionary changes to the standards proposed by the FIDO Alliance and the World Wide Web Consortium (W3C) WebAuthn community,” Andrew Shikiar, the executive director and chief marketing officer (CMO) at the FIDO Alliance, tells IT Pro. “These changes build on the success of FIDO in high-security environments and enterprises by making it easy and highly practical for consumers to adopt passwordless authentication on a large scale.”

The paper outlines two key advancements, Shikiar continues, that have since been adopted by Apple, Google and Microsoft. This paves the way for FIDO-based secure authentication, as he terms it, to replace conventional passwords once and for all.

The first advancement is using your smartphone as a ‘roaming authenticator’, which allows users to use FIDO authentication to sign into an app or website on a nearby device, regardless of the operating system (OS) or browser they’re running. This approach requires physical proximity, which means it could mitigate certain phishing attacks and other risks associated with one-time passwords delivered through SMS.

The second is allowing users to automatically access FIDO sign-in credentials – referred to by some as a “passkey” – on many of their devices, even new ones, without having to re-enroll every account. Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device. Typically, all somebody would have to do to sign into their apps and services from a new device is to pass the built-in biometric challenge on the device from which they’re trying to sign in.

What will these measures look like in practice?

In addition to improving the user experience (UX), the broad support of this standards-based approach will allow service providers to offer FIDO credentials without needing passwords as an alternative or account recovery method, Shikiar adds.

Crucially, this takes advantage of well-established user behavior, such as using your phone’s built-in biometrics or PIN to unlock the device. Most of the changes are technical and take shape behind the scenes, so there’ll be few changes for users except beyond no longer needing to remember passwords. For associated companies, like Microsoft, employees will be able to take advantage of end-to-end passwordless authentication for the host of apps and services they need to log into across a host of devices.

"At Microsoft, we are committed to adopting these standards for Windows and all our cloud services,” says Alex Simmons, corporate vice president of product management at Microsoft’s identity and network access division. He adds Microsoft has been a very early supporter for FIDO standards, having previously adopted FIDO2 certification for Windows Hello. Since introducing passwordless authentication five years ago, more than 240 million customers now log into Microsoft’s apps and services without using passwords.

“Passwords have never been less adequate for protecting our digital lives. Many attackers want your password and will keep trying to steal it from you. Those inherent security challenges with passwords drove the initial wave of passwordless innovation. But we haven’t yet reached a broad adoption because passwordless technology was limited to security keys and platform authentication on a single device. This is where passkeys come in.”

The passkey UX, Simmons continues, will be straightforward. Across Windows, Mac, iPhone and Android devices, users will just click on the passkey icon on a website or in an app, before undergoing a facial recognition or fingerprint check – or enter their PIN – and they’ll be seamlessly signed in.

Which companies and platforms are involved?

The FIDO Alliance is an open industry association that comprises the major platforms, device manufacturers and financial institutions among its 250–plus members. The likes of Amazon, Apple, Google, Mastercard, Meta, Microsoft, PayPal, Samsung, and Visa are all members of the FIDO Alliance Board of Directors, with the membership also featuring leaders in security and identity, as well as several government members including the UK, Germany and the US.

“One thing that’s unique about FIDO Alliance and FIDO authentication is that it truly is an industry-wide movement – which is absolutely necessary when you consider the task at hand: changing the authentication fabric of the web itself,” he continues. “As a result, there’s a true sense of mission in the broader FIDO community, including a willingness to collaborate and share best practices based on real-world lessons learned.”

Apple, Google, and Microsoft have led the development of an expanded set of capabilities and are now building support into their respective platforms. These companies’ platforms already support FIDO Alliance standards to enable passwordless authentication on billions of devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality.

Apple recently announced at its WWDC event that passkey will be featured in upcoming releases of iOS and macOS. Google also detailed its own plans for Android support of passkey at their recent Google I/O developer conference. The passkey approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. The new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in 2023.

What are the implications for cyber security?

For multi-device FIDO credentials, it’s the OS platform’s responsibility to ensure the credentials are available when the user needs them, says Shakiar. This means the security and availability of a user’s synchronised credentials depend on the security of the underlying OS’ authentication mechanism for their online accounts, and the security method for user account recovery.

“Enterprises and service providers may or may not want to rely on this dependency,” he adds. “At the very least, however, the verification of a synced FIDO credential represents a robust signal to a relying party that the user is who they say they are, and it is a huge improvement in security compared to passwords.

“For many service providers, we expect that trusting the synced FIDO credential on the new device is all they need to sign in the user. However, FIDO also supports use-cases where a company can choose, for additional security or regulatory reasons, to go beyond this and perform further user verification steps whenever the user signs in from a new device.”

Simons tells IT Pro, meanwhile, that Microsoft's goal is to make passwordless authentication an obvious and easy choice for any customer. “We’re not just building new ways to sign without a password on any device and to any app or website, we’re also working to eliminate passwords for Azure AD accounts altogether.

“Administrators can choose whether passwords are required, allowed, or simply don’t exist for a set of users. Users can choose not to set a password when creating an account or opt to remove their password from an existing account.”

Will the FIDO Alliance bring passwordless authentication into the mainstream?

Discourse around passwordless authentication has been rife in recent years with Microsoft, for example, routinely slamming the username-password combination publicly, and urging society to move to a password-free model. Passwords, however, have still been dominant and remain so throughout the digital world. The FIDO Alliance hopes this move will fundamentally turn the landscape on its head.

“This joint effort involving the world’s three largest platform providers will undoubtedly accelerate the availability of passwordless sign-ins,” Shakiar explains. "It offers clear benefits to users and service providers in making the web more secure and usable for all, with practically no change in user behavior required. We believe this will deliver phishing-resistant authentication at a scale that rivals password-based authentication deployments and, ultimately, replaces passwords as the dominant form of authentication on the Internet.”

According to Simons, passwordless authentication is likely to become mainstream as password removal is encouraged by countries around the planet. With the rising threat of attacks on your online identity alongside phishing scams and ransomware attacks, there’s no better time to embrace the elimination of passwords, he adds.

Andras Cser, Forrester’s VP and principal analyst, however, tells IT Pro that password-free sign-in is already entering the mainstream to some extent, with more than two-thirds of security decision makers adopting the technology in a recent survey. “Adoption is still at a very early stage, however,” he says. “About half of respondents are less than three months into their deployment, suggesting it’s mostly proof-of-concepts (PoCs) and pilot programmes being deployed. Survey respondents expect the percentage of employees using passwordless to nearly double by the end of 2022.

“Passwordless is still nascent, but technological advances, pervasive smartphone use, user frustration with passwords, and enterprise frustration with weak password security contribute to adoption,” Cser adds. “Strong industry support for the FIDO2 standard, especially the WebAuthn aspect, also helps.”

For many businesses, replacing passwords will be a massive decision to make, given it goes against the norms and conventions of decades of cyber security best practice. This will, in any case, be a multi-year journey for most organisations as they strive to overcome the various challenges involved. Thes might range from integrating passwordless authentication with legacy infrastructure to righting internal resistance. Should the FIDO Alliance and its member organisations be believed, shifting to a world without passwords should do wonders for the overall UX and for enterprise cyber security.