The days of "Password123" and "qwerty" are numbered. And, honestly, good riddance. Single-factor authentication is laughably easy to crack, through things like phishing attacks and rampant malware. So not only are passwords obsolete, they in fact pose a huge risk.
Luckily, the FIDO ("Fast IDentity Online") Alliance is coming to the rescue. The organization developed a brand new standard called "Web Authentication" (WebAuthn, to all those hip teens), Motherboard reports. Now any web site that uses the application interface could require users to log in with at least two or more steps of authentication, with the ability to use biometric data for one or more of them.
Multi-factor authentication, as it exists now, can also be a real burden to users: tying private keys to personal phone numbers can become tedious, and could even lock users out of their accounts if they can no longer access that phone number.
The experience of using the new WebAuthn standard is very straightforward. In fact, in some cases, you won't have to change your behavior at all.
Large parts of the new WebAuthn standard were pretty much ready to roll out back in 2014, but FIDO couldn't figure out how to implement it on mobile devices. Now that basically every recent smartphone is equipped with at least one kind of biometric sensor— fingerprint-readers, facial recognition software in the cameras — the time is finally ripe.
WebAuthn is easy enough to use on a smartphone, then, but what about devices that don't have a fingerprint or face-reading device? This is where things aren't quite so seamless — they'll need an external piece of hardware to comply with the WebAuthn standard. Security hardware companies such as Yubico have developed hardware keys that act like a USB-stick-like authenticator.
Admittedly, carrying a dorky lanyard around your neck just in case you need to stick into a port on your device is not exactly the sexiest solution. But it's substantially safer than using a simple password. Safety first, kids!
This all might sound annoying, but we'll take it for granted when all our browsers start using it. So far, Google Chrome and Windows Edge have shown signs that they will soon adopt the technology. Mozilla's Firefox has already implemented it. Apple's Safari has shown no signs of interest just yet, though Apple has started working with a related working group, and could soon be jumping on board.
"My biometric data all over the internet, you say?" Yes, it sounds scary — we've seen all the nasty stuff that can happen when data lands in the wrong hands. And now they want your fingerprint and face scan as well? You might be tempted to pass.
But having an additional safeguard on your logins and private data on the web is always a good thing. Passwords have proven time and time again that they are security hazard, and the sooner we move away from them, the better. Plus, they're a huge pain in the ass. How am I supposed to remember what every password is if it's supposed to be unique, contain capital letters and numbers and characters?
Moving on from passwords is a no-brainer. Not only is a simple fingerprint-scan a whole lot easier for users, it instantly adds another great layer of security needed in the age of data breaches, hacks, and global malware attacks. But users will have to embrace the technology to make it widespread, and actually useful.