Dumping passwords can improve your security -- really

Security keys, biometrics and a technology called FIDO are upgrading today’s feeble security foundation.

Passwords suck.

They’re hard to remember, hackers exploit their weaknesses and fixes often bring their own problems. Dashlane, LastPass, 1Password and other password managers generate strong and unique passwords for every account you have, but the software is complex. Services from Google, Facebook and Apple allow you to use your passwords for their services at other sites, but you have to give them even more power over your life online. Two-factor authentication, which requires a second passcode sent by text message or retrieved from a special app each time you log in, boosts security dramatically but can still be defeated.

A big change, however, could eliminate passwords altogether. The technology, called FIDO, overhauls the log-in process, combining your phone; face and fingerprint recognition; and new gadgets called hardware security keys. If it delivers on its promise, FIDO will make cringeworthy passwords like “123456” relics of a bygone age.

“A password is something you know. A device is something you have. Biometrics is something you are,” said Stephen Cox, chief security architect of SecureAuth. “We’re moving to something you have and something you are.”

Passwords are awful

Computer passwords have been fraught since at least the 1960s. Allan Scherr, an MIT researcher, ferreted out the passwords of other researchers so he could use their accounts to continue his “larceny of machine time” for his own project. In the 1980s, University of California, Berkeley astrophysicist Clifford Stohl tracked a German hacker across government and military computers left insecure because administrators didn’t change default passwords.

The nature of passwords prompts us to be lazy. Long, complex passwords, the ones that are the most secure, are the hardest for us to create, remember and type. So many of us default to recycling them.

That’s a huge problem because hackers already have many of our passwords. The Have I Been Pwned service includes 555 million passwords exposed by data breaches. Hackers automate attacks by “credential stuffing,” trying a long list of stolen usernames and passwords to find ones that work.

FIDO fixes

Fast Identity Online, better known as FIDO, addresses these problems. It standardizes the use of hardware devices, such as security keys, for authentication. Yubico, Google, Microsoft, PayPal and Nok Nok Labs, among others, are developing FIDO.

Security keys are digital equivalents of house keys. You plug them in to a USB or Lightning port, allowing a single digital security key to work securely with many websites and apps. The key can dovetail with biometric authentication like Apple’s Face ID or Windows Hello. Some keys can be used wirelessly.

FIDO also lets sites and services replace passwords altogether, a change that could make your login life easier even as it makes hacking harder.

Fans are confident enough to make bold projections about its spread. “Within the next five years, every major consumer internet service will have a passwordless alternative,” says Andrew Shikiar, executive director of the FIDO Alliance, an industry consortium. “The bulk of those will be using FIDO.”

Because it works only with legitimate websites, FIDO stops phishing, a type of security attack in which hackers use a fraudulent email and a bogus site to con you into giving up your log-in information. FIDO also eases company worries about catastrophic data breaches, particularly of sensitive customer information like account credentials. Stolen passwords won’t be enough for a hacker to use to log on, and if FIDO catches on, companies might not require passwords to start with.

Signing on with no password

Here’s one way FIDO-based sign-on works without passwords. You’ll visit a website login page with your laptop, type in your username, plug in your security key, tap a button and then use the laptop’s biometric authentication, like Apple’s Touch ID or Windows Hello.

Conveniently, you’ll also be able to use your phone as a security key. Type in your username, get a prompt on your phone, unlock it, then approve yourself with its biometric authentication system. If you’re using your laptop, the phone communicates over Bluetooth.

FIDO supports the protection provided by multifactor authentication, which requires you to prove your log-in credentials in at least two ways.

How FIDO authentication works

Your first encounter with FIDO likely won’t look much different than two-factor authentication. You’ll first type a conventional password, then plug in or wirelessly connect a FIDO hardware security key.

Phones can be security keys, too