Apple, Google, and Microsoft have recently announced that they intend to accelerate the availability of passwordless sign-ins using the common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C). Julia O'Toole questions this approach and asks whether it is the result of confusing identity and access control.
The FIDO (Fast IDentity Online) Alliance, was formed in July 2012 to ‘address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords’.
Under the FIDO approach users will sign in through the same action that they take multiple times each day to unlock their devices, such as verification of their fingerprint or face, or a device PIN. This approach ‘protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS’ says FIDO.
In theory, this will reduce the reliance on passwords and give users a way of keeping their credentials to hand as they move from device to device. In practice, the longing for convenience and ease of access has pushed security to the side and could leave users’ vital data vulnerable to threat actors.
Identity versus access
FIDO’s approach to passwords, while convenient, first reveals a dangerous confusion between access and identity. Contrary to popular belief, the two are not interchangeable. Identities are fixed while access keys are changeable. In the physical world, we use them for different needs.
Your identity is used to identify yourself, for example when you cross a country border, when you need to prove you have the legal rights to live in a country or to live in a house. Your legal identity is fixed and doesn’t change when you change job or country. Your identity is unique.
Access, on the other hand, is granted by an authority such as a company or a landlord, to allow certain people to enter certain places. Access is usually granted by giving someone a key, keys don’t depend on people’s identity. For example, when you go home, your door doesn’t look at you, recognise you and open for you. If you have the keys, you can open the doors.
Contrary to your unique identity, you can have as many keys as you have doors, which means if you lose your car key for example, it doesn’t affect your house or your office. You can simply change your keys.
Now imagine that you use your identity biometrics to access everything you own. Biometrics are simply a unique combination of 0s and 1s. We know from recent data breaches that large databases of identity biometrics can and have been stolen. If your biometrics are stolen, not only can you immediately lose everything you have, but you also can’t go back and delete them. Biometric theft is permanent, which means you will always face the risk of someone using your identity illegally. Does convenience justify taking such high risks?
Who, except a locksmith, makes their own keys?
Another point of confusion concerns access keys. People have long believed that they need to create passwords and remember them. But passwords are just keys, digital keys. Who - except locksmiths- ever designed and cut their own keys to open their house, their car, their safe? People simply retrieve the right key and use it.
To prevent people stealing your keys in the digital world, since there are no physical obstacles, one simple defence is to use encrypted passwords. If you don’t know or see your passwords, you can’t inadvertently give them away. There are different ways to manage encrypted passwords for different needs, the safest of which is to keep them in a fortress with multiple levels security for different passwords that only the owner can access.
According to Verizon’s Data Breach Investigations Report 2022, 82 percent of all data breaches involve a human element such as social attacks, phishing and password misuse. In the business world, companies can protect themselves from this human element by distributing end-to-end encrypted passwords for every system to all of their employees, digitally handing individual access keys to people they can use without ever seeing them.
End-to-end encryption means passwords are out of reach from creation, distribution, storage, use to expiry. That way, employees can’t know the passwords so they cannot give them away in phishing attacks. Not knowing passwords also means not forgetting passwords, which saves organizations money on password resets and productivity.
All your data behind a single point of access
A third point of confusion concerns the use of single access. In the physical world, it’s unsafe to have a single key for your house, car and office. That’s because losing that key means losing everything you have. But in the digital world, in return for convenience, people have been advised to use a single master password, biometric or PIN, as in the FIDO approach, to access all their digital assets. For people who follow that advice, it means one attack could cause the loss of all of their accounts and data at once.
A warning spike in physical assaults
The list of issues that ensues from FIDO’s approach is endless, but none has more chilling implications than the risk of turning everyone who owns a portable device like a smartphone into an obvious target for physical crime. When every device essentially holds the keys to all your wealth, you become a walking wallet with an easy target on your back. There have already been many cases of people being physically assaulted in the city of London to give their fingerprint and face ID to open their devices for criminals to steal all their cryptocurrency.
Time and time again, new technology has been implemented without proper security assessment and ended up proving more harmful to people. Before accepting FIDO’s approach, people should remember the old adage : be careful what you wish for.
The author
Julia O'Toole is CEO and Founder of MyCena.