Soon, You Won't Need to Enter Passwords If You Use an Android 7 Device. Is That Safe?
On Monday, Google announced that very soon, virtually all devices running Android 7 and newer will be FIDO-certified. This, as you'll find out in a minute, is a massive piece of news, but we appreciate that at the moment, some of you might be a bit confused which is why we should probably get on with explaining what FIDO is and why it's so important.
FIDO and the password problem?
FIDO stands for Fast Identity Online, and it's an authentication protocol developed by a consortium of some of the world's biggest technology companies. The idea is to make authentication both easier and more secure. The best way to understand how it's going to do that is to compare it with what we have at the moment – the username and password system.
The standard procedure when you sign up for an online service is pretty straightforward. Upon registration, you create a set of login credentials which the service provider receives and stores. When you try to log in to your account, you enter your username and password, the service provider compares them to what it has on file, and if there's a match, you're allowed in. There are a number of fundamental problems with this mechanism.
Since your username is publicly available and often coincides with your email, the security of your account is more or less dependent on your password which, as we all know can be (and in many cases is) weak. It can also be (and in many cases is) reused or phished, and we haven't even mentioned the way the password is relayed between the client and the server or the way service providers store it. The people designing FIDO have realized that the only way of dealing with all these problems is to eliminate the password altogether.
How does FIDO work?
FIDO makes use of public cryptography – a completely different approach. During the signup process, your FIDO device creates a pair of cryptographic keys – a public one that is sent to the service provider and a private one that remains on the device. The service provider sends a challenge, and your device uses your private key to sign it. The signed challenge is sent back to the provider which uses your public key to decrypt it and confirm that it really is you on the other end of the line.
It is a somewhat complicated process, especially if you're not that familiar with how cryptography works, but the simple upshot is that if hackers want to take over your account, they'll need both cryptographic keys – the public one and the private one. Since they are stored in two different locations, stealing them is extremely hard, guessing them is basically impossible, and the protocol's design makes impersonating service providers very difficult which means that regular phishing attacks won't work, either.
Implementing FIDO into an online service is as simple as activating an API which means that your privacy is less dependent on what the provider does (or doesn't do). More importantly, for the first time in a very long while, we have what looks like a viable alternative to the hard-to-remember password.
Where does Android come in?
Google is rolling out an update to the Google Play Services component for Android devices running version 7.0 or newer. When users get it, they will be able to use their mobile phones as FIDO devices.
What this means is that logging into apps and services that support FIDO authentication will require nothing more than using your device's fingerprint scanner or punching in a PIN or a swipe pattern. You won't need to enter passwords for these applications and websites.
Is this good news?
Yes, it is. We're so used to protecting our data with passwords that the idea of abolishing them is bound to make some people a bit apprehensive, but as we established already, the use of cryptographic keys instead of a memorized password is a much better solution in terms of both convenience and security. You will still need to use one of your device's authentication mechanisms to identify yourself, but all this happens locally which makes a potential attack much harder. We're pretty sure that anyone who has ever had to enter a long, complex password on a small on-screen keyboard will welcome the change as well.
Where's the catch, then?
The involvement of so many leading technology giants means that FIDO's design has probably been carefully thought through, but we shouldn't get carried away. Some time ago, using the name of your dog as your password was good enough whereas right now, it isn't. In much the same way, the landscape will likely evolve, and the greater the number of services that adopt FIDO, the greater the number of people who will try to attack it. Speaking of adoption, it's still relatively low.
Quite a few services have implemented FIDO-based tokens as one of the options for Two-Factor Authentication (2FA), but few let you use the protocol as a primary login method. The fact of the matter is, it's still relatively new, and people don't quite understand how they can benefit from it. There's another problem.
According to Wired, close to 1 billion Android devices will become FIDO-certified which will bring the protocol closer to quite a few people, but when you think about how many more phones and tablets run on older versions of Google's mobile operating system, you'll see that this is far from enough. If people are to start using FIDO, the protocol must be supported on anything from smartwatches to desktop PCs, and vendors must also think about what they'll do with the mountains of Internet of Things gadgets that pour out of production lines all over the world at a truly astonishing rate. In other words, FIDO must become as ubiquitous as the password. And that's unlikely to happen any time soon.
Passwords are here to stay, and you must learn to treat them with respect. Click here to learn how our Cyclonis Password Manager can help you do that.