In the past half-decade, efforts to bring alternatives to the traditional password approach have picked up steam—thanks in no small part to the FIDO Alliance, which is playing the long game.
Passwords are famously problematic—in part because all the good ones are hard to remember and we’re faced with so many password prompts on a daily basis that there’s a natural tendency to reuse the ones that work.
For years, the case has been made that we need to eventually move away from this password-driven past into something more secure.
But now, that push is getting some teeth: Recently, Microsoft announced that its facial-recognition tool Windows Hello, an infrared webcam-based technology that you might be familiar with if you’ve bought a PC-based laptop fairly recently, had received a key piece of certification from the FIDO Alliance, an industry group that has been aiming to create authentication standards beyond the password for a number of years now.
The FIDO2 certification, effectively, will allow Microsoft to move past passwords entirely with future updates of Windows—something the company plans to do with its Windows 10 May 2019 update. And because Windows is so widely used, the sheer scale of its embrace is expected to be unprecedented.
“Windows Hello was built to align with FIDO2 standards so it works with Microsoft cloud services and within heterogeneous environments,” Microsoft Principal Group Program Manager Yogesh Mehta said in a news release. “Today’s certification announcement brings this full circle, allowing organizations and websites to extend certified FIDO Authentication to over 800 million active Windows 10 devices.”
(For those of you concerned about privacy: Microsoft has specifically shied away from making its facial-recognition tools available to, for example, law enforcement. In this context, we’re talking about logins to your own personal machines, such as laptops and tablets.)
Quietly enough, this could be a turning point for the state of digital security.
Perhaps I was a little early on the draw when I first wrote about the FIDO Alliance in 2013, complete with headline “Is Now the Time to Move Past Password-Based Security?” But a lot has happened since the alliance got moving, and it’s not just limited to the work Microsoft recently put in—which is very likely to have an effect because of its sheer scale.
Other recent victories for the group include handing out a security certification to Google’s entire Android platform, which means you can now use your phone to securely log in to your Google account on your computer; a move to approve an in-screen fingerprint sensor on the latest Samsung phone; and an announcement that it was teaming up with the payments group EMVCo and the World Wide Web Consortium (W3C) to standardize a biometric-reliant payments strategy.
And that’s saying nothing of the growing popularity of devices like the YubiKey, which the alliance also has its fingerprints on.
It takes a lot of work to make logging in without a password seem easy, but the FIDO Alliance seems to be putting in all the right parts. The challenge, it seems, is going to be winning over consumers, who have had password-centric habits deeply ingrained into their routines.
And clearly, lots of tools exist for that—and remain necessary. But weaknesses in those models have emerged over time. As I wrote in 2017, two-factor authentication, a popular tool for adding an extra layer of security to the password, was becoming less attractive as the telephone number itself became a potential security weakness. And in February, an independent security firm attempted to puncture holes in the password-manager model—a standby of many organizations—by suggesting that the “master password” of tools like LastPass and 1Password remained in memory, unencrypted. (1Password, for one, made clear that it encrypted the master password.)
It’s enough to make associations freak out, of course, but at some point, security has to take a back seat to reality: Try as you might, there will always be weaknesses like these, and you will still need to respond to them.
But that said, there’s still a whole lot of positive to take from the shift away from passwords, which could mitigate one of the bigger pain points for many associations.
Of course, even with all the recent progress, the change won’t happen overnight. Speaking to The Verge last month, the FIDO Alliance’s executive director, Brett McDowell, portrayed the situation as one of attrition.
“User habits and market forces will make the password a novelty, but it’ll still be a supported novelty for a long time,” McDowell told the website. “Over time, market forces will make the password less and less interesting, less viable, and less effective.”
And you can’t get “less interesting” than a login that requires you to remember a confusing code over a login that can effectively replace a password with your own face.