Dump your passwords, improve your security. Really


Brett Pearce / CNET

Passwords stink.

They are hard to remember hackers Exploiting their weaknesses and solutions often bring their own problems. Dashlane, LastPass, 1Password and other password managers It generates secure and unique passwords for every account you have, but the software is complex. Google, Facebook and Apple services allow you to use your passwords for your services on other sites, but you should give them even more power over your online life. Two factor authentication, which requires a second access code sent by text message or retrieved from a special application each time you log in, increases security dramatically but can still be defeated.

However, a big change could eliminate passwords completely. The technology, called FIDO, reviews the login process, combining your phone; face and fingerprint recognition; and new gadgets called hardware security keys. If you keep your promise, FIDO will create cringeworthy passwords as relics "123456" from a bygone era.

"A password is something you know. A device is something you have. Biometrics is something you are," said Stephen Cox, chief security architect at SecureAuth. "We are moving to something you have and something you are."

This week, CNET is analyzing the changes that will help us free ourselves from password problems. Such changes are a massive effort that will affect you every time you check email, transfer money or log in to your employer's network. We will analyze the authentication approaches that do not require passwords, the two-factor authentication deficiencies and how to use password managers more effectively. We will also provide some updated password selection tips, because deeper password improvements will take years to arrive.

Read more: The best password managers of 2020

Passwords are horrible

Computer passwords have been loaded since at least the 1960s. Allan Scherr, a researcher at MIT, discovered the passwords of other researchers to use his accounts to continue his "machine time theft" for his own project. In the 1980s, Berkeley astrophysicist Clifford Stohl of the University of California tracked a German hacker on government and military computers that were left insecure because administrators did not change the default passwords.

Playing now:
See this:

In a world of bad passwords, a security key could be …


The nature of passwords leads us to be lazy. Long and complex passwords, the safest, are the most difficult to create, remember and write. Many of us recycle them by default.

That is a big problem because hackers already have many of our passwords. The Have I Been Pwned service includes 555 million passwords exposed for data breaches. Hackers automate attacks using "credential padding", trying a long list of stolen usernames and passwords to find the ones that work.

FIDO fixes

Fast Identity Online, better known as FIDO, addresses these problems. Standardizes the use of hardware devices, such as security keys, for authentication. Yubico, Google, Microsoft, PayPal and Nok Nok Labs, among others, are developing FIDO.

Security keys are digital equivalents of house keys. It connects them to a USB or Lightning port, allowing a single digital security key to work safely with many websites and applications. The key can fit with biometric authentication like Apple Face ID or Windows Hello. Some keys can be used wirelessly.

FIDO also allows sites and services to replace passwords completely, a change that could make it easier for you to log in, even if it makes hacking difficult.

Fans have enough confidence to make bold projections about its spread. "In the next five years, all major Internet services for consumers will have an alternative without a password," he says Andrew Shikiar, executive director of FIDO Alliance, an industrial consortium. "Most of them will use FIDO."

Hardware Security Key Illustration

Hardware security keys add new security to passwords and can completely replace them.

Brett Pearce / CNET

Because it only works with legitimate websites, FIDO stops phishing, a type of security attack in which hackers use fraudulent email and a fake site to trick you into giving up your login information. FIDO also alleviates the company's concerns about catastrophic data breaches, particularly confidential customer information such as account credentials. Stolen passwords will not be enough for a hacker to use to log in, and if FIDO notices, companies may not require passwords to start.

Login without password

Here is one way that FIDO-based login works without passwords. You will visit a website login page with your laptop, enter your username, connect your security key, tap a button, and then use the laptop's biometric authentication, such as Apple Touch ID or Windows Hello.

Conveniently, you can also use your phone as a security key. Enter your username, get a message on your phone, unlock it and then approve your biometric authentication system. If you are using your laptop, the phone communicates via Bluetooth.

FIDO supports the protection provided by multifactor authentication, which requires you to prove your login credentials in at least two ways.

How FIDO authentication works

Your first encounter with FIDO probably won't look very different from two-factor authentication. First you will enter a conventional password, then connect or connect a FIDO hardware security key wirelessly.

The process still uses passwords, but it is more secure than passwords alone or passwords reinforced by codes sent by SMS or retrieved from authenticators such as Google Authenticator. This approach – password plus security key – is how you can use FIDO today on Google, Dropbox, Facebook, Twitter and Microsoft services such as Outlook.com and eventually Windows.

"The hardware security keys are very, very secure," said Diya Jolly, product manager of the Okta authentication services company. That is why the campaigns of Congress, the computer services division of the Canadian government and all Google employees use them.

Today's consumer services often require you to connect the keys only when you first log in to a new PC or phone, or when you are taking a particularly delicate action such as transferring money from your bank account or changing your password. Of course, a security key can be a nuisance if you don't have it available when you need it.

Security keys for sale today include Yubico & # 39; s Yubikeys and Google & # 39; s Titan. The basic models cost $ 20, but you will spend $ 40 or more if you want them to be compatible with USB-C or Lightning ports or wireless communications. Advanced models such as the Ensurity ThinC, the eWBM Goldengate G320 and the Feitian BioPass have built-in fingerprint readers, a feature that Yubico is also working on.

Yubico YubiKey

Yubico is one of the leading sellers of security keys. This basic YubiKey model connects to USB ports. You have to touch the button to show that you are really present while using it.

Stephen Shankland / CNET

You must buy at least two keys in case you lose, break or forget your primary key. With most services, you can register several keys, so you can leave one at home or in a safe deposit box.

Phones can also be security keys

Google built the FIDO key technology directly on Android in 2019 and did the same with its iPhone software in January. That allows you to log in to your Google account on your laptop with a message that appears on your phone, as long as it is within your laptop's Bluetooth range. Hope this approach extends beyond Google.

Websites and browsers get FIDO authentication with a function called WebAuthn. FIDO is integrated into Android so that applications can also use it, and Apple has just joined the FIDO Alliance, which bodes well for FIDO support in iPhone applications.

Microsoft is also a great defender. You jumped on Google by enabling passwordless sign-in for Outlook, Office, Skype, Xbox Live and other online services. You will need a hardware key combined with Windows Hello facial recognition technology or fingerprint identification; a hardware key combined with a PIN code; or a phone with the Microsoft Authenticator application.

FIDO phishing protection

FIDO uses public key cryptography technology that has protected credit card numbers online for decades. A great advantage of this approach is that an FIDO security device, whether it is a hardware security key or a phone that acts as one, will not work with fake websites, a common trap set by hackers to password phishing. . Unlike people, who often don't notice a well-designed fake website, security keys are registered to work only with a legitimate site.

"With the security keys, instead of the user needing to verify the site, the site has to prove its worth," wrote Mark Risher, leader of the authentication work at Google, in a blog post. Successful phishing attempts fell to zero on Google after it moved its tens of thousands of employees to security keys.

Without passwords it also means a decrease in confidential data for hackers to steal. That is music to the ears of IT administrators. With FIDO, says Cox of SecureAuth, companies no longer have "centralized credential databases to be stolen."

Post Password Issues

Here is the bad news. It will not be easy to move into our future without a password. We are all accustomed to passwords, and we feel more or less comfortable with their operation. We all have our own tricks to keep them tidy.

Setting up security keys is more difficult than choosing a password. It's complicated because different websites use different procedures to register and use security keys. For example, Twitter allows you to use only one hardware security key today, which means that backup keys will not work.

Registration, the process of registering a security key with a service, "is a terrible problem," said Jerrod Chong, director of solutions for Yubico, a 12-year-old company that manufactures security keys and is an important player in the Alliance FIDO However, he expects enrollment to improve. (In fact, the use of security keys has become easier during the year I have been doing it.)

Multiply the number of accounts you have by the amount of keys you have, and you will have an idea of ​​the hassle of password management you face. Hardware security keys may break or be stolen too, and the Bluetooth keys can run out of batteries.

"Most people are familiar with passwords. It's something they've grown up with. It's printed on them," said Forrester security analyst Chase Cunningham. "From the point of view of the consumer, it is likely that it takes between five and seven years for passwords to become a reality."

Within companies, hardware security keys will not be easy to sell. They cost money, employees lose or forget them, and, perhaps most importantly, they are simply different from what people are used to. Hell, most people don't even allow two-factor authentication, although that would dramatically improve their security.

"Usernames and passwords are still the most frequent option," said Matias Woloski, CTO and co-founder of Auth0, which sells authentication services. "Nobody wants to try not to provide that option."

In the case of security keys

Even so, it is important to weigh the problems with the security keys we already face with passwords.

Hardware security keys frustrate the large-scale cybercrime that passwords allow. The mechanisms to reset forgotten passwords are expensive and can be exploited by hackers who steal accounts. And let's be honest: it is a practical impossibility to remember safe and unique passwords for all the sites you use.

Safety keys powered by FIDO and The telephones and then password-free logins will improve fundamentally weak security, says Joe Diamond, vice president of product at Okta. "It is clearly the future."

CNET writer Alfred Ng contributed to this report.


Please enter your comment!
Please enter your name here