Are Passwords Obsolete?

By:  |  Category: Blog, Security Wednesday, May 2nd, 2018  |  No Comments

New web standards passed this last month could lead to the end of regular “passwords.”

The new standard, WebAuthn, is close to final approval from the World Wide Web Consortium, which sets Web standards.

WebAuthn defines a standard Application Program Interface that can be incorporated into browsers and Web infrastructure. It opens the door for new ways for users to authenticate themselves on the Internet that are more secure and convenient than passwords.

“Security on the Web has long been a problem which has interfered with the many positive contributions the Web makes to society,” said W3C CEO Jeff Jaffe.

“While there are many Web security problems and we can’t fix them all, relying on passwords is one of the weakest links,” he continued. “With WebAuthn’s multifactor solutions, we are eliminating this weak link.”

Industry Support
The new standard will more than likely take off. Google, Microsoft and Mozilla already have committed to supporting WebAuthn in their browsers. Developers have begun to implement the standard for Windows, Mac, Linux, Chrome OS and Android.

“We expect browser and OS vendors will be out in the second half of this year,” said Rajiv Dholakia, vice president for products at Nok Nok Labs.
“Uniform support will take about 12 months,” he told TechNewsWorld, “but we already know people running internal proofs of concept with the goal of bringing something to market as early as late in the second quarter or early third quarter.”

Implementing WebAuthn should not be difficult for organizations, noted Michael Thelander, senior director of product at Iovation.

“There are new concepts involved, but not radically new security thinking.”

“The larger problem will be getting time and attention — especially in large organizations using this for customer-facing authentication — from the other stakeholder groups involved,” Thelander said.

“Compliance, user experience, product management and operations will all have a say and need some time,” he added.

Keeping user security safe
WebAuthn, which is based on a specification written by the FIDO Alliance, can make the Internet safer for users.

“There are many attacks that user names and passwords are vulnerable to that FIDO is not,” observed Brett McDowell, executive director of the FIDO Alliance.
For example, FIDO is resistant to phishing attacks and data breaches, two of the most common threats to consumers and other users of the Internet.
“FIDO is based on public key cryptography,” McDowell.

“You don’t have to give away a credential secret — like a password — to authenticate your identity,” he explained. “When a website authenticates me using FIDO, it’s not asking me for my secret. That means I can’t be tricked by someone else to give away my secret.”

Promising Trend
Using public-key encryption for authentication has another advantage, according to Bob Crowe, a senior vice president of engineering at EdgeWave.

“WebAuthn incorporates cryptographic logic which allows for various sources of stronger authentication including biometrics — think FaceID — and external authenticators, such as device to device.”

That makes the scheme more convenient, too. “All I have to do is look at my camera, touch my fingerprint sensor, or touch a button on a security key,” McDowell said.

New Challenge

FIDO’s WebAuthn will have to surmount a big challenge if it’s going to gain widespread acceptance, suggested Iovation’s Thelander.

“The biggest challenge is that great work is already being done in this field, and in some cases new standards need to play catch-up,” Thelander added.

Also, don’t count out the resilience of passwords.

“Look for a long tail of user name/password usage that will last for many years beyond the first rollout of FIDO-compliant sites,” Thelander predicted, “unless there’s such an improved user experience that online business can map an immediate ROI to the new authentication experience — more time on site, quicker logins, more frequent visits, more consumer confidence.”

Samantha Keller

Director of Marketing and PR at EnhancedTECH
Samantha Keller (AKA Sam) is a published author, tech-blogger, event-planner and mother of three fabulous humans. Samantha has worked in the IT field for the last fifteen years, intertwining a freelance writing career along with technology sales, events and marketing. She began working for EnhancedTECH ten years ago after earning her Bachelor’s degree from UCLA and attending Fuller Seminary. She is a lover of kickboxing, extra-strong coffee, and Wolfpack football.Her regular blog columns feature upcoming tech trends, cybersecurity tips, and practical solutions geared towards enhancing your business through technology.
Samantha Keller

Latest posts by Samantha Keller (see all)

Leave a Comment
Read previous post:
Cyber Defense
Reducing Attack Surfaces Key to Cyber Defense

In strategic warfare, it's a good idea to limit the amount of attack surfaces available, meaning reducing the amount of...