Dumping passwords can improve your security — really

Security keys, biometrics and a technology called FIDO are upgrading today’s feeble security foundation.

Hardware security keys add new security to passwords and can replace them entirely.
Brett Pearce/CNET

Editor’s note: In recognition of World Password Day, CNET is republishing a selection of our stories on improving and replacing passwords.

Passwords suck.

They’re hard to remember, hackers exploit their weaknesses and fixes often bring their own problems. Dashlane, LastPass, 1Password and other password managers generate strong and unique passwords for every account you have, but the software is complex. Services from Google, Facebook and Apple allow you to use your passwords for their services at other sites, but you have to give them even more power over your life online. Two-factor authentication, which requires a second passcode sent by text message or retrieved from a special app each time you log in, boosts security dramatically but can still be defeated.

A big change, however, could eliminate passwords altogether. The technology, called FIDO, overhauls the log-in process, combining your phone; face and fingerprint recognition; and new gadgets called hardware security keys. If it delivers on its promise, FIDO will make cringeworthy passwords like “123456” relics of a bygone age.

“A password is something you know. A device is something you have. Biometrics is something you are,” said Stephen Cox, chief security architect of SecureAuth. “We’re moving to something you have and something you are.”

This week, CNET is taking a look at changes that’ll help free us from password problems. Such changes are a massive effort that’ll affect you every time you check email, transfer money or log in to your employer’s network. We look at approaches to authentication that dispense with passwords, the shortcomings of two-factor authentication, the benefits of password managers. We provide some updated password-picking advice, because deeper password improvements will take years to arrive. Finally, my colleague Scott Stein shares a cautionary tale about what can go wrong with a password manager.

Read more: The best password managers of 2020

Passwords are awful

Computer passwords have been fraught since at least the 1960s. Allan Scherr, an MIT researcher, ferreted out the passwords of other researchers so he could use their accounts to continue his “larceny of machine time” for his own project. In the 1980s, University of California, Berkeley astrophysicist Clifford Stohl tracked a German hacker across government and military computers left insecure because administrators didn’t change default passwords.

The nature of passwords prompts us to be lazy. Long, complex passwords, the ones that are the most secure, are the hardest for us to create, remember and type. So many of us default to recycling them. 

That’s a huge problem because hackers already have many of our passwords. The Have I Been Pwned service includes 555 million passwords exposed by data breaches. Hackers automate attacks by “credential stuffing,” trying a long list of stolen usernames and passwords to find ones that work.

FIDO fixes

Fast Identity Online, better known as FIDO, addresses these problems. It standardizes the use of hardware devices, such as security keys, for authentication. Yubico, Google, Microsoft, PayPal and Nok Nok Labs, among others, are developing FIDO.

Security keys are digital equivalents of house keys. You plug them in to a USB or Lightning port, allowing a single digital security key to work securely with many websites and apps. The key can dovetail with biometric authentication like Apple’s Face ID or Windows Hello. Some keys can be used wirelessly.

FIDO also lets sites and services replace passwords altogether, a change that could make your login life easier even as it makes hacking harder.

Brett Pearce/CNET

Fans are confident enough to make bold projections about its spread. “Within the next five years, every major consumer internet service will have a passwordless alternative,” says Andrew Shikiar, executive director of the FIDO Alliance, an industry consortium. “The bulk of those will be using FIDO.”

Because it works only with legitimate websites, FIDO stops phishing, a type of security attack in which hackers use a fraudulent email and a bogus site to con you into giving up your log-in information. FIDO also eases company worries about catastrophic data breaches, particularly of sensitive customer information like account credentials. Stolen passwords won’t be enough for a hacker to use to log on, and if FIDO catches on, companies might not require passwords to start with.

Signing on with no password

Here’s one way FIDO-based sign-on works without passwords. You’ll visit a website login page with your laptop, type in your username, plug in your security key, tap a button and then use the laptop’s biometric authentication, like Apple’s Touch ID or Windows Hello.

Conveniently, you’ll also be able to use your phone as a security key. Type in your username, get a prompt on your phone, unlock it, then approve yourself with its biometric authentication system. If you’re using your laptop, the phone communicates over Bluetooth.

FIDO supports the protection provided by multifactor authentication, which requires you to prove your log-in credentials in at least two ways.

How FIDO authentication works

Your first encounter with FIDO likely won’t look much different than two-factor authentication. You’ll first type a conventional password, then plug in or wirelessly connect a FIDO hardware security key.

The process still uses passwords, but it’s more secure than passwords alone or passwords bolstered by codes sent by SMS or retrieved from authenticators like Google Authenticator. This approach — password plus security key — is how you can use FIDO today on Google, Dropbox, Facebook, Twitter and Microsoft services like Outlook.com and eventually Windows.

“Hardware security keys are very, very secure,” said Diya Jolly, chief product officer of authentication service company Okta. That’s why congressional campaigns, the Canadian government’s computing services division and all Google employees use them.

Consumer services today often require you to plug in the keys only when logging in for the first time on a new PC or phone, or when you’re taking a particularly sensitive action like transferring money out of your bank account or changing your password. Of course, a security key can be a hassle if you don’t have it readily available when you need it.

Security keys for sale today include Yubico’s Yubikeys and Google’s Titan. Basic models cost $20, but you’ll spend $40 and up if you want ones supporting USB-C or Lightning ports or wireless communications. Advanced models like Ensurity’s ThinC, the eWBM’s Goldengate G320 and Feitian’s BioPass have built-in fingerprint readers, a feature Yubico is working on, too.

You should buy at least two keys in case you lose, break or forget your main key. With most services, you can register multiple keys, so you can leave one at home or in a safe-deposit box.

Yubico is one of the major sellers of security keys. This basic YubiKey model plugs into USB ports. You have to touch the button to show you’re really present while using it.
Stephen Shankland/CNET

Phones can be security keys, too

Google built FIDO key technology directly into Android in 2019 and did the same with its iPhone software in January. That lets you log in to your Google account on your laptop with a prompt that appears on your phone, as long as it’s within Bluetooth range of your laptop. Expect this approach to spread beyond Google.

Websites and browsers get FIDO authentication with a feature called WebAuthnFIDO is built into Android so apps can use it, too, and Apple just joined the FIDO Alliance, which bodes well for FIDO support in iPhone apps.

Microsoft is a major supporter, too. It leapfrogged Google by enabling no-password log-in for Outlook, Office, Skype, Xbox Live and other online services. You’ll need a hardware key combined with Windows Hello face recognition technology or fingerprint ID; a hardware key combined with a PIN code; or a phone running Microsoft’s Authenticator app.

FIDO protection against phishing

FIDO uses the public key cryptography technology that’s protected credit card numbers online for decades. A big advantage of this approach is that a FIDO security device — either a hardware security key or a phone acting as one — won’t work with faked websites, a common trap set by hackers when phishing for passwords. Unlike people, who often don’t notice a well-crafted bogus website, security keys are registered to work only with a legitimate site.

“With security keys, instead of the user needing to verify the site, the site has to prove itself to the key,” Mark Risher, a leader of authentication work at Google, wrote in a blog post. Successful phishing attempts dropped to zero at Google after it moved its tens of thousands of employees to security keys.

No passwords also means a decrease in sensitive data for hackers to steal. That’s music to the ears of IT administrators. With FIDO, SecureAuth’s Cox says, companies no longer have “centralized databases of credentials to be stolen.”

Post-password problems

Here’s the bad news. It won’t be easy moving to our passwordless future. We’re all used to passwords, and we’re more or less comfortable with how they work. We all have our own tricks for keeping them sorted.

Setting up security keys is harder than picking a password. It’s complicated because different websites use different procedures to register and use security keys. For example, Twitter lets you use only one hardware security key today, which means backup keys won’t work.

Enrollment — the process of registering a security key with a service — “is a terrible problem,” said Jerrod Chong, chief solutions officer at Yubico, a 12-year-old company that makes security keys and is an important player in the FIDO Alliance. He expects enrollment to improve, though. (Indeed, using security keys has become smoother over the year I’ve been doing so.)

Multiply the number of accounts you have by the number of keys you have, and you’ll get a sense of the key-management hassle you face. Hardware security keys can break or be stolen, too, and Bluetooth keys can run out of batteries.

“Most people are familiar with passwords. It’s something they’ve grown up with. It’s imprinted on them,” said Forrester security analyst Chase Cunningham. “From a consumer level, we’re probably five to seven years out from killing passwords being a reality.”

Inside companies, hardware security keys won’t be an easy sell. They cost money, employees lose or forget them, and, perhaps most importantly, they’re just different from what people are used to. Heck, most people don’t even enable two-factor authentication, even though that would dramatically improve their security.

“Usernames and passwords are still the most prevalent option,” said Matias Woloski, CTO and co-founder of Auth0, which sells authentication services. “Nobody wants to take a shot at not providing that option.”

Making the case for security keys

Still, it’s important to weigh the problems with security keys against those we already face with passwords.

Hardware security keys thwart the large-scale cybercrime that passwords enable. Mechanisms to reset forgotten passwords are expensive and can be exploited by account-stealing hackers. And let’s face it — it’s a practical impossibility to remember strong, unique passwords for all the sites you use.

FIDO-powered security keys and phones and then passwordless logins will improve fundamentally feeble security, says Joe Diamond, Okta‘s vice president of product. “It’s clearly the future.”