FIDO2, biometrics, single sign-on: how to live without passwords

FIDO2, biometrics, single sign-on: how to live without passwords

The introduction of password-free technologies is a tactical move to support initiatives to strengthen information security, based on simplifying user actions. By removing a password as a primary authentication factor, laptops and PCs can be registered with biometrics, while for web applications this is likely to be FIDO2-based authentication.


Take a moment and try to remember your first time online or maybe the first session behind the terminal. The expectation that something is about to happen. You are prompted to enter your password. Your first password. What have you typed?

I have a slight nostalgia for my first passwords, I admit. After all, they meant something to me. A small piece of text, a secret that only I and my computer knew. But I was not the only one who chose such passwords. At the end of last year, enthusiasts found and cracked the first BSD passwords. We are talking about the early 80s. Two passwords surprised me. Ken Thompson used a chess move entry in a descriptive notation (p/q2-q4!). Clever. Eric Schmidt chose his wife’s name (wendy!!!) as the password. Delightful.

Usually I would come up with joking passwords. Sometimes I made promises to myself (saveMoney! – “saveMoney!” – and [email protected] More – “[email protected] Longer”). I bet you did the same thing. What has changed?

It makes sense to come up with a password when it is the first one. You can make jokes with two or three of the following ones. And what do you do when there are hundreds of them? Invent another unique phrase? What a boredom. Only an old, long known password can be worse (don’t tell me you don’t use them). Remember the original idea of password stickers that seemed at that time? Who would have a place on a monitor to put a hundred of these stickers?

I do not cook soap. I don’t pluck chickens. And I don’t invent passwords anymore. Today, most of my passwords are generated randomly. To be honest, I can’t wait for random passwords to be in the same place as home soap, acoustic modems and CRT monitors.

Let’s try to look into a steamless future.

When passwords are not needed

For passwords to disappear, they must first become less. Locally, you can set a password manager as a workaround. Centralized – single sign-on (SSO) registration system. The idea is to define the authentication processes to be used and then start reducing complexity.

Problems are waiting for us on this way. First, the task is not as simple as it seems. On average in corporate environment there are 191 passwords per user. It takes time to organize, evaluate and consolidate them. Secondly, passwords are still compromised. Although there are fewer passwords, they remain the same as they were – a long-term common secret as the main authentication factor.

It is possible to improve information security by eliminating passwords as the main authentication factor. For example, on laptops and PCs, it is possible to register with biometric data using Secure Enclave technology and Trusted Platform Module (TPM) for Touch ID or Windows Hello applications. For web applications, this is likely to be authentication based on the FIDO2 specification, which uses WebAuthn (Web Authentication) and CTAP (Client-to-Authenticator Protocol) standards. In the future, passwordless access will be implemented for all corporate options (hybrid, cloud, local, and legacy applications).

For users, a life without passwords means faster authentication with minimal costs. Criminals are faced with information technology where there are no shared secrets that can be copied, reproduced or cracked with brute force. And for administrators to live without passwords is to gradually find opportunities to use passwordless technologies and gradually implement them to the full satisfaction of users.

“Quick Wins and Long-term Perspectives-Free”


The strategy requires stimulating people and allocating resources to achieve the goal. As I wrote in the article “Thinking Strategically About Passwordless“, the introduction of password-free technologies is a tactical move to support information security initiatives based on simplifying user actions. Business projects are prioritized based on management guidance, results achieved, or effort required. Try to find support for your project by providing password-free access to key figures and adepts of information security. Consider granting password-free access to workgroups that require a large number of authentications or password changes – this will save time and expenses on technical support. And, of course, a good option for promotion would be to demonstrate a minimum of necessary efforts – as, for example, the introduction of applications that already support FIDO2.

It is not everywhere that passwordless authentication is implemented without problems. One example is the inability or unwillingness of staff to use biometrics. As we have recently seen, this can happen when personal protective equipment interferes with the recognition of faces or fingerprints. In addition, some people find it difficult to register these fingerprints. This is most often the case with senior staff. Another stumbling block awaits us where sharing equipment is the norm, for example, in operator centers. Many password-free solutions tie an employee to his device for strict authentication. This model does not work when several people use the same device. In such cases it is better to work with other models first, waiting for the next technical achievements.

Many standards require that a password and one or more additional factors are used for authentication. Of course, it can be argued that passwordless authentication provides the same level of security, but standards and auditors need time to absorb new developments. Now it is best to start negotiations with internal audit, in the meantime proving the advantages of passwordless technology in other areas.


In order for organizations to prepare themselves for the implementation of password-free technologies, we have published new information material: Passwordless: The Future of Authentication. In it you will find a description of the five stages of the transition to passwordless authentication.

Passwordless involves a gradual transition from password authentication to other methods. The ultimate goal is to improve the work processes of the employees, getting rid of many loopholes that criminals use today to gain access.

It is not everywhere that the transition to passwordless technologies will go smoothly. We are at the very beginning of the journey, and it takes time for infrastructure and staff to be prepared. But it is not so bad: we can engage in strategic planning and implementation of this transition at this time.

I don’t know about you, but I would be interested to see how my password will be cracked in 40 years. “What did he mean by Wdx8yJGzXXOuobE3?” – will be asked by an unknown hacker, wondering about the times when people had to manually enter the registration data.

Source: anti-malware.

WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: