The FIDO Alliance's U2F open standard lets compatible USB key drives and other small devices simplify two-factor authentication. Credit: Image: FIDO Alliance
Passwords offer weak protection but “they’re darn cheap to implement,” a recent Forrester report points out. That’s why passwords continue to be the go-to protection for so many systems. But with the ever-growing list of password breaches – not to mention the availability of faster hardware, making password cracking an increasingly trivial task – 56 percent of firms told Forrester they want to move away from passwords in the next three years.
Windows 10 can be part of a strategy for doing that, and, thanks to Microsoft’s participation in the FIDO Alliance, any changes you make to support that strategy will work across a wide range of devices and authentication options.
Several services offer ways to do away with passwords today. Yahoo recently introduced a “password-free” account key that uses a push notification on a registered iOS or Android device that lets its Yahoo Mail users confirm that they’re trying to log in. If you’d like to use that model for your own apps, Twilio recently launched the OneTouch option for its Authy authentication service that lets you use a similar mobile push notification to have users confirm their login, instead of using passwords. You can also use it for other sensitive transactions, making it more than just a password replacement.
“OneTouch is the next generation beyond using a soft token or a one-time code via SMS, and you can use it for authentication and for authorisation,” says Twilio’s Marc Boroditsky. “That could be a parent approving a transaction for a child, or multiple parties in escrow or a workflow sequence of approvals.” Payroll companies and digital signing services are planning to use the system to handle transactions that need to be authorized by multiple people.
“We have non-repudiation built in,” says Boroditsky. “We have a digital record of the authentication taking place that’s not just someone clicking OK on their computer.” Authy OneTouch doesn’t use biometrics to replace a password; instead it considers multiple signals. It isn’t just that you’re using your own phone; it’s where you are and how you’re behaving. Are you on the other side of the world, connected via a VPN instead of on your office network? If the system decides your login is unusual, it won’t just sign you in; at that point, it might ask you to use two-factor authentication, including biometrics.
That’s easier to add to a new application rather than a system that was designed to work with passwords, he admits. “To make this really universal, this is where FIDO plays a role. We do two-factor authentication, we are working with FIDO – and when there is FIDO it will be easier.”
Sign up for CIO Asia eNewsletters.