WGNO

A future without passwords may be closer than you think

ST. LOUIS (KTVI) — Hate trying to keep track of all your passwords? They may one day be a thing of the past.

Advances in biometrics, multifactor authentication (MFA) and other technological advances are slowly making them unnecessary.

Scott Schaffer, chief information security officer with Blade Technologies, explained that between the late 1990s and early 2000s, a six- to eight-character password was all that was needed to protect a system. He said it could take years to crack a password of that length.

There are now more powerful computers and more advanced algorithms that can crack an eight-character password in less than three hours.

Schaffer said more recently, he has advised clients to use a password manager and have a longer, more unique password for each website. However, he said, the more powerful computers that are around the corner won’t be enough for a 12-15 character password.

So what does a world without passwords look like?

Schaffer points to a future with Version 2 of FIDO (Fast Identity Online), or FIDO2.

The technology allows individuals to use a digital unlock system, such as Face ID or Touch ID on a smartphone, or a voice or PIN on a device, to authenticate users. The framework works across Windows, Mac, and Android. This would only have to be done once.

After your device has been authenticated, a private cryptographic key stored in the machine’s Trusted Platform Module (TPM) “handshakes” with a public cryptographic key used for a website or application.

Schaffer said the technology makes it possible to use a smartphone or security key device to log into sites and transact without ever entering a password because no password exists.

“If we know that every big ransomware or any big email spoofing thing always is going after somebody’s password,” he said. “So if you don’t have a password, that means you can give it up.”

The TPM is a physical chip on the main board of your device. The TPM chip cannot be modified and is not accessible outside of the device it is on. That means even if the chip is pried off, you are protected.

All the major players in the tech industry have signed onto the concept, but the migration to a password-free future won’t happen overnight.

However, Schaffer said it’s not a question of whether it’s coming, but rather of when.

“The quicker we can get rid of passwords, the better it’s going to be for all of us, obviously,” he said.