Ending Passwords Isn’t a Good Idea, Here’s Why

Passwords are considered a nuisance on the internet today, because people are too prone to using simple, easy-to-guess passwords, or reusing the same password everywhere (which means that as soon as one account is compromised, other accounts using the same password are too).

To overcome this problem, there are password managers, as well as two-factor authentication systems (such as verification codes sent by SMS). But the FIDO Alliance has been working on an even more radical solution: the end of passwords.

As we mentioned in a previous article, the connection mechanism imagined by this alliance is not based on passwords, but rather on cryptographic keys or passkeys. When creating an account on an online service supporting this technology, there is therefore no registration of a new password, but the creation of a cryptographic key which will be stored on the device ( that also supports this technology) of the user.

And when the user wants to log into his account, he does not enter a password, but verifies the key using the unlocking system integrated into his device, thus proving his identity. On a smartphone, this could be a fingerprint scanner or entering a PIN. It’s like using a password manager, but without the passwords.

Apart from the fact that these passkeys are more secure than traditional passwords, they are also more practical for the user. Moreover, the technology should be very accessible since it is supported by Apple, Google, and Microsoft, which control the main platforms for smartphones and computers.

Passkeys don’t just have advantages

But unfortunately, this technology intended to put an end to passwords does not only have advantages. Indeed, as an article recently published by Fast Compagny pointed out, the adoption of this system will make us even more dependent on the digital giants.

Indeed, once you have started using passkeys on an ecosystem, for example that of Google or that of Apple, you risk being blocked on this ecosystem. These keys could be synced to a Google Account or an Apple Account (much like the password managers already offered by these two companies), but you’ll have a hard time switching between ecosystems.

Quoted by Fast Compagny, Andrew Shikiar, executive director of the FIDO Alliance, admitted that as it stands, there is not yet a way to transfer all the passkeys from one ecosystem to another.

“We don’t really have a batch export method yet”he explained. “I think it’s probably a future iteration. »

According to the explanations of Fast Company, it is for the moment the possibility of transferring the passkeys one by one which is in the pipes. ” […] if you create an account with an iPhone and want to sign in on a Windows PC, Microsoft may create its own authentication key for this service after you authenticate through your phone”we read in the article.

Sam Srinivas, Google’s director of product management for secure authentication, who is also the chairman of the FIDO alliance, also assures that the goal is not to lock users into the platforms they use.

However, if the alliance is moving cautiously, it is for fear that if it launches a feature allowing batch transfer of passkeys, hackers could take advantage of this mechanism. ” […] if someone is given a sloppy mechanism to export all those keys, you know who’s going to show up first for that”explained Srinivas.

A solution would be to let third-party password managers, which are not reserved for a particular ecosystem, manage users’ passkeys.

Leave a Comment