Have you ever forgotten a password? If your answer is no, I can only assume you’re either lying or Marilu Henner. Passwords are the ultimate compromise in security: they are a lock where the key is only supposed to be known by some, but the lock itself has no way to enforce this. Original computers implemented them so that people working on massive mainframes could segregate their programs and files from others using the same machine. Nowadays, we have passwords on phones, computers, email, and hundreds of accounts, such that it becomes nearly impossible to remember them all without a system or without reusing them.
Password managers are a great way to manage a massive database of other passwords, essentially offloading the task to a computer and only needing one password. But if that’s compromised, everything is. So intelligent people came up with 2FA, which assumes that anyone can find out a password, but only someone with something physical can prove they’re you or authorized to work as you.
This is the idea that’s behind the FIDO alliance (Fast IDentity Online), a group that’s hoping to remove the need for passwords entirely. How does it work? Well, it’s a great example of tech building on earlier ideas, and it used Public Key Encryption.
Black Box
FIDO builds upon the idea that public key encryption uses two keys, one that never leaves your possession and one you can freely give to anyone (even those you don’t trust). It uses a physical device to store a key that can authenticate you with a given service. Like enrolling in 2FA, there is a first-time setup for a device, but afterward, you can use that device to sign in rather than a password. On the backend, the site sends the device an encrypted challenge using the public key. The device decrypts it (as they are the only one that can), and answers with a similarly encrypted response with the private key, which anyone with a public key can decrypt. This verifies that you are you and bypasses the need for additional factors.
Already in Use
If you have an Android device, you may have noticed that apps asking you if you want to register your biometrics for various apps. Doing so is Google’s way of implementing FIDO2. FIDO2 is the second generation of this standard, which lets users use devices they already own (phones) instead of requiring they purchase specific FIDO devices. Apple and Microsoft already have things in place and some availability of FIDO2 and have pledged to implement more going forward.
Soon, “Hey, I forgot my password. Can you reset it?” phone calls will be a thing of the past!