That’s the conclusion of a whitepaper by the Fast ID Online Alliance (FIDO), which blames usability issues for preventing passwordless authentication mechanisms from becoming mainstream. However, the alliance has come up with a solution to solve the problem once and for all and make the FIDO authentication standard as ubiquitous as passwords. “FIDO has exceeded all initial expectations,” Bill Leddy, VP of Product at LoginID, told Lifewire over email after perusing the whitepaper. “[It] is really close to solving all authentication [issues], but needs a bit more.”
Canceling Passwords
Leddy believes that passwords have outlived their use. He blames the security industry for failing people by pushing weak options for far too long. “Passwords are now 60 years old but remain the primary authentication option for most accounts. Consumers have many different accounts and are expected to remember a unique password for each. That is not a practical solution,” asserted Leddy. He added that in today’s internet, where websites can be easily cloned, the security industry’s job is to equip people with the right tools to prevent account breaches. The FIDO Alliance, an open industry association, created to reduce the reliance on passwords, has been working on the issue for about a decade now. It has created the FIDO authentication standard, which has been unable to gain traction. In the whitepaper, the alliance thinks it has finally identified the missing piece of the puzzle and also outlined a strategy to overcome it. According to the alliance, FIDO’s current passwordless authentication mechanism has inherent usability issues that have kept it from achieving wide adoption. “[We] have observed limited adoption [in the consumer space], because of the perceived inconvenience of physical security keys (buying, registering, carrying, recovering), and the challenges consumers face with platform authenticators (e.g., having to re-enroll each new device; no easy ways to recover from lost or stolen devices) as a second factor,” the paper noted. To overcome the issues, the whitepaper calls for using our smartphones as roaming authenticators or portable security keys. “A user’s device as a roaming authenticator is a great user experience and much more secure than passwords on a semi-trusted device if done correctly. Since new smartphones natively support FIDO and consumers are rarely far from their phones, it is a good option,” agreed Leddy.
The Way Forward
However, the whitepaper suggests that for smartphones to become successful as portable security keys, FIDO must devise a smooth process for people to add or switch between their mobile devices. It argues that if the process for essential tasks, such as setting up a new phone or switching to a new one, isn’t straightforward, then people will likely dismiss the whole idea as being inconvenient. To avoid this, the paper proposes introducing a new technique they call multi-device FIDO credentials, or “passkeys.” “Multi-device ‘passkey’ credentials address a long-standing question around FIDO. The question has been how to move to a new device if I enrolled 50 domain-specific credentials on my old device and then got a new device. Nobody wants to go through account recovery for 50 different services to rebind new FIDO credentials,” explained Leddy. FIDO asserts that passkeys will help avoid this situation altogether by ensuring that when we switch from one device to another, our FIDO credentials are already there waiting for us. Of course, the paper is conceptual, and Leddy thinks such a mechanism is easier to propose than to implement. “It would be unfortunate if the passkey solutions were vendor-specific so that a consumer cannot switch between device manufacturers or even a heterogeneous (MacBook and Android phone) set of devices,” warned Leddy. However, he’s confident that the FIDO alliance, which counts heavyweights such as Apple, Meta, Google, PayPal, Wells Fargo, American Express, and Bank of America, among its members, will come up with solutions that aren’t only universal but also thoroughly vetted against attacks. FIDO believes the multi-device FIDO credentials will become the final nail in the coffin for passwords. “By introducing these new capabilities, we hope to empower websites and apps to offer an end-to-end truly passwordless option; no passwords or one-time passcodes (OTP) required,” said the alliance.