The sooner the FIDO Alliance can shut down passwords, the better

A greyscale hand emerging from a hole, removing a password string, against a blue background
(Image credit: Getty Images)

I hate passwords with a vengeance, mainly because they’re so badly abused, from a cyber security perspective, by so many people. I’m not just talking about the person on the Clapham omnibus who keeps their passwords simple and shared between multiple accounts and services, but service providers as well.

In 2022, I would have liked to think the days of stupidly short character limits, along with rules forbidding special characters, would be long gone, but that’s not the case. Yes, Virgin Media, I am looking firmly in your “email passwords can be no longer than ten digits and contain no special characters” direction.

Of course, Virgin Media isn’t the only culprit. It’s still possible to find those who see password creation as some kind of Krypton Factor challenge where you have to use at least one number, uppercase, and special character, except for certain banned special characters of course – oh, and no repetition – all within a given maximum length password.

Not only is this daft, it’s also insecure; it makes it easier for those who would crack your password to do just that. If I know the maximum length of a string and the formatting rules, well, it becomes a lot less time-consuming for my password-cracking techniques to discover.

Ditching passwords for passwordless authentication

Why are these stupid rules there in the first place? Because someone, at some point before login security hygiene realised the error of its ways, had to tick a compliance checkbox. That legacy has never gone away. This gets even more bizarre when, in the case of Virgin Media email accounts, you look at its own recommendations for creating a strong password, which includes things it won’t let its own customers do. These are things like using more than ten characters (“your password will be more secure and harder to crack, the longer it is”) or special characters (“strong passwords include... symbols or special characters”).

That particular password advice page gets it wrong when it says you should aim for “8 to 12 characters”. The days of such a short password string being considered secure have long since gone; I use 25 as my secure baseline now, and certain high-value accounts will get ramped up to 50. Where the Virgin Media advice gets it right is using a password manager makes this a lot easier to accomplish, not only in terms of creating a random, long and secure password in the first place but being able to use them without being some kind of memory savant. Well, not use them if you are one of their customers, obviously. Another bit of correct advice – to use two-factor authentication (2FA) as a double-lock – is blunted somewhat by the fact that they don’t support this either.

This is where Apple, Google and Microsoft step forward in an unlikely alliance against password insecurity. The basis of the announcement, made by the three tech giants simultaneously, is to rid “password friction” by moving closer, more quickly, to passwordless authentication.

As I’ve said, time and time again, password managers are your friend; your very secure friend. Unfortunately, while password manager usage has taken off with more tech-minded users, the general public considers these applications a step too far. Why so? Friction. It’s much easier, it takes less time, to simply use that weak password everywhere. Until the inevitable day arrives when doing so leads to a data breach or worse, when things come tumbling down around them.

The conclusion is that better security, and stronger password hygiene, will only become something approaching any kind of norm if it comes with as little friction as possible. Hence, the move by these three tech behemoths to commit to a joint effort that extends support for a common passwordless authentication standard.

Embracing FIDO’s passwordless future

RELATED RESOURCE

Building a better password strategy for your business

Exploring the strategies and exploits that hackers are using to circumvent password security measures

FREE DOWNLOAD

That standard is the Fast ID Online (FIDO) Alliance, which uses mobile devices to authenticate apps and websites instead of passwords. The most important part of this “passwordless pact” is that this will happen cross-platform rather than have a proprietary lock. The idea is you will be able to, for example, log into an account on your laptop using your smartphone, assuming it’s in range, by tapping an automatic notification asking if that’s you trying to sign in. At worst, it involves entering a PIN or biometric authentication, like scanning your fingerprint or using Face ID.

I’m all in favour of this move towards less friction – note the distinction between less friction and frictionless – in a cross-platform methodology to provide stronger authentication for people who don’t really understand what good security is, let alone care. Using your smartphone as a passkey store makes perfect sense from the ‘something you have, something you are, something you know’ perspective. An iPhone user is already used to using Face ID, most Android users are the same with fingerprint scanning, and many laptops users are accustomed to Windows Hello.

Sure, it’s not perfect. Nothing is ever perfect, and that is truer in cyber security than most areas. However, if a threat actor needs to have physical access to your smartphone and your login username and your face or fingerprints or PIN), that’s a pretty secure scenario for the vast majority of users and use cases. If you are an outlier in terms of risk then the chances are you will already be using strengthened authentication measures anyway.

As my friend, Jake Moore, a former digital forensics police officer and current global cyber security advisor at ESET, says: “It is encouraging that Microsoft, Google, and Apple are attempting to pave the way to make account access secure as well as convenient. This isn’t something that can be achieved overnight, but it highlights that more needs to be done when it comes to password security. Cyber criminals will inevitably attempt to circumnavigate by looking for ways to exploit this method as nothing remains hack-proof, but like with any early adoption of new technology, this is a great start and we are likely to see a decent version of this in the near future.”

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.