Will Passwords Ever Go Away? Maybe.

Category: Security

Passwords have been a thorn in the side of computer users for a very long time. Passwords are forgotten, at best. At worst, they are posted in plain view, rendering them useless. Finally, we see some real hope that passwords and all their irritations will go away. Here's what you need to know…

Is This The End of Passwords?

Password rules have become so complicated that it may take a half-dozen tries to come up with a password that some system administrator deems acceptable. Password management software is now essential, with rudimentary functions even baked into browsers. Passwords consume an excessive amount of time and brain cells.

Just yesterday, I was creating a new account at a large insurance company website and was asked to provide a password "between 6 and 10 characters in length." What? All the experts have been telling us that strong passwords should be 12 to 16 characters. Why impose an arbitrary limit like that?

But a new standard approved by the World Wide Web Consortium (W3C) is being adopted and deployed by browser heavyweights Google, Mozilla, and Microsoft. Hopefully, it will ease your password pain. Let's take a look at how it will work.

Webauthn, also known as the Web Authentication API, is a bit of software that will allow developers to create software that authenticates a user’s identity without relying on passwords. When you visit a new site, it will recognize that you are a first-timer and offer you the convenience of the Web Authentication API, which works like this:

The end of passwords

Webauthn: enter a PIN or press your finger on the fingerprint reader.
You: Done.
Webauthn: Welcome!

Every time you re-visit that site and wish to go into restricted parts of it, you will need to perform the same “authentication gesture” that you did on the first visit. But a PIN is easier to remember than a strong password, and a finger is always at hand (sorry, couldn’t resist that pun).

Under the hood of Webauthn, the user’s device and the Web server he’s logging into use public-key encryption to secure their connection and to authenticate the user’s identity. Your authentication gesture becomes the seed that generates your unique pair of public and private encryption keys, stored on your device. Another key pair associated with yours is stored on the remote Web server.

Solving Multiple Security Problems

A new unique pair of keys is generated for every site you need to log into, eliminating the security problems of users who use the same password on multiple sites. Best of all, you don’t have to understand encryption jargon, how public and private keys come into play, or do anything more to help it along than enter a PIN or press a fingerprint reader!

In addition to fingers and PINs, tech-loving users can store their encryption key pairs on a Yubico Key, which looks much like a USB thumb drive.

It's important to note that those remote keys are useless without your local keys. If you're interested in those technical details, you can peruse Web Authentication: An API for accessing Public Key Credentials Level 1.

Another good thing about Webauthn is that because no passwords are used, your user credentials never leave your browser. Accordingly, they are not vulnerable to hacks or data breaches on the remote servers that currently store your usernames and passwords.

Chrome 67 and Firefox 60 will be released with the Webauthn API enabled by default. Both browsers are expected in May, 2018. Microsoft has not announced a date for Webauthn’s debut in the Edge browser, but it’s expected to not be far behind the other two browser giants. Apple’s Safari browser does not support Webauthn at this time, which seems odd because several Apple employees sit on the working group that came up with this standard.

Webauthn is already deployed at some major sites, such as Facebook and several Google properties. If you have not encountered Webauthn, it’s probably because you are not a first-time visitor who needs to log in.

Passwords will not go away completely for some time, but the death of passwords and all of their problems appears to be on the horizon. How do you feel about that? What could possibly go wrong with Webauthn? Your comments are welcome below...

 
Ask Your Computer or Internet Question

 
  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 26 Apr 2018


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 25 April 2018

The Top Twenty
Next Article:
Cybercrime and Secret Sauce

Most recent comments on "Will Passwords Ever Go Away? Maybe."

Posted by:

Lee
26 Apr 2018

What if you do not have a computer that can read the fingerprint?


Posted by:

Lisay
26 Apr 2018

I seem to have a physical problem with fingerprint readers. They only work for me about 50% of the time. If my hands are cold, or just washed, then the print does not register. I guess I am just not "electric" enough!


Posted by:

olamoree
26 Apr 2018

Hey Lee, then you can use a PIN which is only four digits long, 1234 and if you can select it, you can put in a "familiar" number.


Posted by:

Gene
26 Apr 2018

But will I be able to access the account from multiple devices?


Posted by:

John A
26 Apr 2018

Since I volunteer working with children, I get background checks every few years through the FBI and other agencies. The last few times I went through the process, my fingerprints weren't good enough for identification, and I had to supplement the fingerprint identification process. When I asked about this, I was told, "Oh, don't worry—at your age [87] it's fairly common that we can't read fingerprints." Where does that leave me on computer usage?


Posted by:

Mike Davies
26 Apr 2018

Fingerprints can be easily copied, as can your iris and voice. A good password is much more secure.


Posted by:

Linda
26 Apr 2018

In general, I like this. Passwords are a pain in the butt. But I would definitely use the PIN option. I think that Google, Microsoft, Facebook, Twitter, and the Internet in general already have way too much information about me without asking me to supply my fingerprint too!


Posted by:

RandiO
26 Apr 2018

1. Why does security always have to be about convenience, over simplification and instant gratification, for the masses?
Masses gave up personal communications and gravitated to facebook for these simple reasons. Then, these same masses did not take kindly to the recent big 'oops' moment w/facebook security breach and cried foul (publicly and/or privately). Even the Feds tried to tried to rake Zuckerguy over the coals, then moved on with their regularly scheduled programming.

2. "Passwords consume an excessive amount of time and brain cells."

3. "Passwords have been a thorn in the side of computer users for a very long time." Closest rebuttal that I can come to is the old adage about "if you think sex is a pain in the arse, you are probably doing it the wrong way!"

4. "...your user credentials never leave your browser" By association, I'll go one step further and deduce that it is a given assumption that google has the strongest and most secure servers, so that no one can get at your data but that data-farmer extraordinaire!

5. "...Apple’s Safari browser does not support Webauthn..."

Could I possibly be the ONLY monkey to refuse to own a 'smartphone' for such reasons?
Not even the banana phone (Nokia 8110 4g) looks appealing or appetizing to this monkey. Especially since such words as "facebook, twitter, googleMaps and googleAssistant apps" always seem to leave a bad aftertaste.
I had high hopes for Linux-based KaiOS (built from FireFoxOS fork's ashes), but it is also diseased by facebook/twitter/google genes!
I am sticking with KeePass with over 400 unique passwords.

Sorry for this aimless rant from a pedigreed EE, who has never aimlessly bought into the whole ‘technology for technology sake’ that has run amok.


Posted by:

Barnsley
26 Apr 2018

What could be easier logging on with face recognition. No two faces look the same and you wont forget it when visiting a site.


Posted by:

mike
26 Apr 2018

passwords WOULD NOT be such a CONSTANT, #$!@ING NIGHTMARE if only they would adopt standards for password criteria. one site requires one of these special characters, another has to be at least x characters long, it's absurd. i aughta be able to access everything with just 2 or 3 different passwords.


Posted by:

Phil
26 Apr 2018

I guess Webauthn will be the wave of the near future but personally I don't have a problem with passwords. I use a very good password program that can generate some seriously cool passwords. Here is what I do have a problem with.

Web sites that want to approve my password and follow their ridiculous set of password rules. After all, it's my password and my choice, not theirs. Then there are the sites (mostly government) that invalidates a periodically which inevitably makes me go through the password recovery process for no good reason. That means they will send me a text code. Great, my phone is in the basement at the moment.

It seems that everyone wants to be my nanny because I'm incapable of thinking and protecting myself and my family.

A company should have to email you if they are suspending your PW before they do it.

Mike is right. There should be a standard.

That's my big gripe with PW's


Posted by:

Mark H.
26 Apr 2018

Ironically, this was brought up just after I was notified that I had to change my DFAS password. I'm retired military and DFAs requires a new password every 150 days. 9-30 characters and no repeat passwords. Makes a password manager practically mandatory. Social Security has similar requirements and uses two-factor authentication. I don't see the feds jumping on this new tech in my lifetime. (I'm 64).


Posted by:

Christopher Sirr
26 Apr 2018

Problems with digital.

1. Suppose I get injured and both hands are wrapped in bandages. Neither I nor my wife, even with my approval, can gain access to my information. (Don't tell me there will be an option to take off my shoes).

2. Some people, because of physical disabilities, will need another system from the start.


Posted by:

Narada
26 Apr 2018

I'd feel a lot better hearing that privacy experts were a part of that Webauthn working group, which I doubt. These big data folks cannot be trusted to establish norms consistent with a life-positive culture, as it would lessen their control.


Posted by:

Frank Lobach
26 Apr 2018

If it is permanently in my browser what is to stop anyone else using my browser when I am not there?eg family, friends or burglars?What will stop anyone clever enough to hack my browser usurping my identity?I agree that all the different PW standards are ridiculous with the length,and makeup of PW's, not to mention the number of times I cannot get in when I try to enter a web site using a PW I KNOW IS CORRECT,(have carefully written it down in my PW book), then have to re-set it again time after time.Grrrr.(lots of gnashing of teeth)


Posted by:

Henry
27 Apr 2018

Seems like Webauthn would be EXTREMELY easy to hack through, based on your explanation. No, thanks, I'll stick with Dashlane.


Posted by:

James
27 Apr 2018

Phrases are great, and you can pick your favorite to confuse the heck out of hackers. Like: Mary had a little lamb. Or you can add: his (her nowadays) was white as snow, Or: Four (or four) score and seven years ago. Or add: our forefathers broth forth, etc. Or: as found on the tomb of the Unknown Solcier: God, if there is one, save my soul, if I have one. Pass phrases are difficult to crack, easy to remember, or you can ask a friend to remember a starter by enquiring what even took place here and there, just to get a bearing or a reminder. And, too they run beyond the 14 character passwords, that are easy to crack with the right software. Just sayin".


Posted by:

bobrice
28 Apr 2018

Amused how some require passwords changed after six months. So it's perfectly safe for five months and 29 days, but the next day it's suddenly unsafe?


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML


Article information: AskBobRankin -- Will Passwords Ever Go Away? Maybe. (Posted: 26 Apr 2018)
Source: https://askbobrankin.com/will_passwords_ever_go_away_maybe.html
Copyright © 2005 - Bob Rankin - All Rights Reserved