Welcome to the dawn of the post-password world. Multifactor authentication orbits it and two-factor authentication is just a short ride away. A new adoption campaign has launched, and it’s bound for broad enablement of FIDO2. FIDO2 will be the first stop after passwords. Designed to avoid their most obvious security faults, it disrupts the still-common password-centered approach to authentication security.
As announced at the Mobile World Congress on February 25, 2019, all Android devices running 7.0 or later can sign users in to apps and websites sans password. In lieu of the ever-vulnerable password, users provide a fingerprint, PIN or swipe pattern. This approach disallows the possibility of intercepting authentication information in transit. It also prevents phishing that information out of users. Biometric data has always had promise. This somewhat intermediary system and scale up could shift cybersecurity into a new, and potentially better-protected, phase.
Essentially it turns one’s smartphone into a roaming authenticator. There’ll be no more password formulation rules, memorizing or writing access keys down. It closes that particular security gap.
FIDO2 is a free, open set of authentication standards and protocols developed specifically to reduce and replace passwords on a global scale. The FIDO Alliance came together with this express mission. The Alliance knew that people and businesses require an easy, secure solution; otherwise adoption fails.
Google provides an effective partner for the FIDO Alliance’s desired scale and methods. Obviously Google has a vested interest in remaining at the center of users’ commerce and communication. It wants to stay involved with actions both on the Web and in the increasing use of proprietary applications. Those apps and websites serve as the administrators of many businesses and people’s daily functioning. With the advent of Android, Google can also offer a streamlined authentication method that’s already in a lot of people’s pockets and purses.
Once relegated to Bluetooth dongles and tokens alone, this type authentication now finds itself on smartphones, one of the most ubiquitous electronic devices on Earth, quickly gaining on desktop’s marketshare.
FIDO2 incorporates WebAuthn & CTAP. In March 2019, the World Wide Web Consortium declared WebAuthn, a browser API standard, the official web standard for password-free login. Microsoft 10, Safari, Chrome, Firefox, Edge, and Android, of course, support it. Client to Authenticator Protocol, or CTAP, bridges FIDO2-capable devices (like hardware keys and the aformentioned Android devices) to apps and websites, enabling device-to-device communication.
As we all know people have a tendency to choose obvious, repetitive passwords, and if that weren’t liability enough they also reward phishing expeditions by giving them away at a dizzying rate. For these reasons, the end of the password has been on the horizon from its inception.
Even two-factor and multifactor authentication remain susceptible to phishing when one of the factors is a password or other information vulnerable to social engineering.
FIDO2 differentiates itself because it has the potential to eliminate certain threats, like phishing.
Will the Android Rollout Drive Faster Adoption?
If you consider your Android device indispensable, actually needing it in order to access your accounts may not seem like much of a downside. For everyone else, the requirement that one carry a particular device in order to take actions that didn’t require it before could deter use.
It also stands to reason that FIDO2, like its multifactor predecessors, will eventually fall prey to new attacks and workarounds. Cybersecurity is an ever-escalating pursuit for dominance, but not having to focus as many resources on phishing, brute force attacks (assuming PINs and swipe patterns are sufficiently complex), and password reset workarounds—not to mention phone number theft through stolen identity—would constitute a substantial step forward.
Time to Adopt?
At this point no one can really predict the rate of adoption. It largely depends on viable alternatives, sufficient access, and the old challenge of getting people to switch to a method before absolutely necessary. If your company already uses Android devices, clearly that increases the ease of switching to FIDO2, if not necessarily the likelihood. This may spell the beginning of the end for the password.
By Tenea D. Johnson
Founder, Progress By Design