Of course, some experts note that there is an increasing risk of attackers figuring out ways to clone biometrics like fingerprints, voice or iris scans.
“I don’t want to supply a version of my iris to just anybody,” McGraw said. “I’ve already given my fingerprint to U.S. government and they happily turned them over to the Chinese.”
McDowell acknowledges that biometrics can be spoofed – what he called a “presentation attack.” But he said the FIDO standard eliminates most of the risk for the same reason stated earlier – the biometric information never leaves the user device. “A biometric spoof attack against a FIDO credential can only be attempted if the attacker has physical possession of the user’s device,” he said. “It cannot be performed by social engineering, phishing, or malware.”
Gupta agreed that this is likely to make attacks much more expensive, and will therefore improve security. “As long as new forms of authentication can make sure that the cost of performing a breach is higher than the value gained from the breach, we are safe,” he said.
Still, nobody thinks the password will disappear anytime soon. McDowell, bullish as he is on the FIDO standard, said he knows it will take significant time for it to become “standard.”
He noted that there are more than 200 FIDO Certified implementations on the market, which he said has, “surpassed all my expectations.” The Alliance also announced last month that, “Microsoft will be integrating FIDO into Windows 10 for passwordless authentication,” and that the Alliance is also, “working with the World Wide Web Consortium to standardize FIDO strong authentication across all web browsers and related web platform infrastructure.”
But McDowell acknowledged that, “there is definitely going to be a ‘long tail’ for password use. While we are well on our way to seeing most of the applications and devices commonly used every day offering their users FIDO-enabled authentication, passwords will continue to be part of these systems for years to come.”
McGraw, while he is a fan of 2FA, and his firm requires it of its employees, said the reality is that, “there is no such thing as perfection. It is always going to be an arms race.”
Sign up for CIO Asia eNewsletters.