IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

The sooner the FIDO Alliance can shut down passwords, the better

Passwords aren’t going anywhere, but that hasn’t stopped the dream of a passwordless future – and it seems that Apple, Google and Microsoft agree

I hate passwords with a vengeance, mainly because they’re so badly abused, from a cyber security perspective, by so many people. I’m not just talking about the person on the Clapham omnibus who keeps their passwords simple and shared between multiple accounts and services, but service providers as well. 

In 2022, I would have liked to think the days of stupidly short character limits, along with rules forbidding special characters, would be long gone, but that’s not the case. Yes, Virgin Media, I am looking firmly in your “email passwords can be no longer than ten digits and contain no special characters” direction. 

Of course, Virgin Media isn’t the only culprit. It’s still possible to find those who see password creation as some kind of Krypton Factor challenge where you have to use at least one number, uppercase, and special character, except for certain banned special characters of course – oh, and no repetition – all within a given maximum length password. 

Not only is this daft, it’s also insecure; it makes it easier for those who would crack your password to do just that. If I know the maximum length of a string and the formatting rules, well, it becomes a lot less time-consuming for my password-cracking techniques to discover. 

Ditching passwords for passwordless authentication

Why are these stupid rules there in the first place? Because someone, at some point before login security hygiene realised the error of its ways, had to tick a compliance checkbox. That legacy has never gone away. This gets even more bizarre when, in the case of Virgin Media email accounts, you look at its own recommendations for creating a strong password, which includes things it won’t let its own customers do. These are things like using more than ten characters (“your password will be more secure and harder to crack, the longer it is”) or special characters (“strong passwords include... symbols or special characters”). 

That particular password advice page gets it wrong when it says you should aim for “8 to 12 characters”. The days of such a short password string being considered secure have long since gone; I use 25 as my secure baseline now, and certain high-value accounts will get ramped up to 50. Where the Virgin Media advice gets it right is using a password manager makes this a lot easier to accomplish, not only in terms of creating a random, long and secure password in the first place but being able to use them without being some kind of memory savant. Well, not use them if you are one of their customers, obviously. Another bit of correct advice – to use two-factor authentication (2FA) as a double-lock – is blunted somewhat by the fact that they don’t support this either.

This is where Apple, Google and Microsoft step forward in an unlikely alliance against password insecurity. The basis of the announcement, made by the three tech giants simultaneously, is to rid “password friction” by moving closer, more quickly, to passwordless authentication

As I’ve said, time and time again, password managers are your friend; your very secure friend. Unfortunately, while password manager usage has taken off with more tech-minded users, the general public considers these applications a step too far. Why so? Friction. It’s much easier, it takes less time, to simply use that weak password everywhere. Until the inevitable day arrives when doing so leads to a data breach or worse, when things come tumbling down around them. 

The conclusion is that better security, and stronger password hygiene, will only become something approaching any kind of norm if it comes with as little friction as possible. Hence, the move by these three tech behemoths to commit to a joint effort that extends support for a common passwordless authentication standard. 

Embracing FIDO’s passwordless future

Related Resource

Building a better password strategy for your business

Exploring the strategies and exploits that hackers are using to circumvent password security measures

Whitepaper cover with title in block red box and image of keyboard keys, with a padlock and finger printFree Download

That standard is the Fast ID Online (FIDO) Alliance, which uses mobile devices to authenticate apps and websites instead of passwords. The most important part of this “passwordless pact” is that this will happen cross-platform rather than have a proprietary lock. The idea is you will be able to, for example, log into an account on your laptop using your smartphone, assuming it’s in range, by tapping an automatic notification asking if that’s you trying to sign in. At worst, it involves entering a PIN or biometric authentication, like scanning your fingerprint or using Face ID. 

I’m all in favour of this move towards less friction – note the distinction between less friction and frictionless – in a cross-platform methodology to provide stronger authentication for people who don’t really understand what good security is, let alone care. Using your smartphone as a passkey store makes perfect sense from the ‘something you have, something you are, something you know’ perspective. An iPhone user is already used to using Face ID, most Android users are the same with fingerprint scanning, and many laptops users are accustomed to Windows Hello

Sure, it’s not perfect. Nothing is ever perfect, and that is truer in cyber security than most areas. However, if a threat actor needs to have physical access to your smartphone and your login username and your face or fingerprints or PIN), that’s a pretty secure scenario for the vast majority of users and use cases. If you are an outlier in terms of risk then the chances are you will already be using strengthened authentication measures anyway. 

As my friend, Jake Moore, a former digital forensics police officer and current global cyber security advisor at ESET, says: “It is encouraging that Microsoft, Google, and Apple are attempting to pave the way to make account access secure as well as convenient. This isn’t something that can be achieved overnight, but it highlights that more needs to be done when it comes to password security. Cyber criminals will inevitably attempt to circumnavigate by looking for ways to exploit this method as nothing remains hack-proof, but like with any early adoption of new technology, this is a great start and we are likely to see a decent version of this in the near future.”

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Ex-Twitter tech lead says platform's infrastructure can sustain engineering layoffs
Infrastructure

Ex-Twitter tech lead says platform's infrastructure can sustain engineering layoffs

23 Nov 2022