It's not very often that you see the giant tech companies working together or agreeing on something. They are competitors after all, and they typically spend their time trying to one up each other, or discredit each other's products. But when it comes to security, they all seem to be in agreement: passwords don't work very well.
Today, Microsoft became the latest member of the FIDO Alliance, a group dedicated to replacing the age-old and insecure password with new methods of authentication. The Alliance includes other large companies like Google, Lenovo, Blackberry, LG, PayPal, and many others. The goal of the group is to develop a simple, easy to use method of logging a user in that doesn't involve a password.
FIDO members commit to share technology and collaborate to deliver open specifications for universal strong authentication that enables FIDO-compliant authentication methods to be interoperable, more secure and private, and easier to use. Microsoft software runs on hundreds of millions of devices, and the technology leader maintains clear leadership in enterprise, desktop and laptop markets.
The idea of a password worked very well when user authentication was first developed. The user thinks up a unique word or phrase that only they know which, when entered into the computer, lets the computer know that yes, this is the real John Smith. As technology has progressed, however, two things have happened: hacking methods have become more sophisticated, and users have become lazier.
Users also store more and more of their valuable, personal information online, usually protected by only a password, making password hacking an even more tempting prospect. Today's hacking techniques and brute force attacks can often get through even difficult passwords pretty quickly…and sadly, very few users actually use complex passwords.
The bigger problem is that even the most secure and complicated passwords are still vulnerable to other types of attacks. Last year, a Wired Magazine writer was famously hacked and had a large amount of his digital life erased. His password was ultra complex, but that didn't matter since the bad guys didn't even need it. They used a series of social engineering hacks and calls to customer service to trick their way into resetting his passwords. Once they were into his email, the rest was easy and his digital life was forever changed.
There is a delicate balance in web security: user convenience vs maximum security. The most secure system would take the user too long to log into and would require too much memorization. Users would balk at such a system and refuse to use the service. But the most easy and convenient system is the least secure: the simple password. And as recent hacks have shown, most people use embarrassingly bad passwords that can be guessed in no time.
So companies like Microsoft, Google, and others are working to figure out a way around the password that is secure and convenient. Google has already started with their two-step authentication (if you haven't already, please set it up on your account). This works by using two steps: password (something you know), with a code generated by your phone (something you have). To access your account, both steps are needed, meaning if somebody gets your password, but not your phone, you're safe.
But users don't typically like anything that makes the login process longer, so most wouldn't be interested in two-step authentication, no matter how much more secure it is.
The FIDO Alliance and its members hopes to change that with a universal system that can be used in all desktop browsers and mobile devices. Authentication methods like biometric, voice, etc. are all being considered, and FIDO authentication will use industry standard public key encryption.
The password has been in use for so long, that most users probably think of it as totally secure and that their account isn't vulnerable. But as the stories of big companies being hacked and large amounts of user data being stolen continue to happen, the security of your account really comes into question.
Imagine, on the other hand, a system where your fingerprint is needed to log in. Even if hackers stole your password, they would still be locked out of your account without your fingerprint. If your password were stolen from a server tomorrow, what would happen to your account?
It's easy to see now why big companies are joining together to solve this problem. They want your information to be safe as much as you do.