Part 1: Smartphone Manufacturers Quietly Lay the Groundwork
Passwords are the ultimate lose-lose. They simultaneously provide a poor user experience and represent a tremendous security risk. The high volume of passwords that users have are too difficult for most to remember. As a result, they use non-secure, easily guessed passwords or they reuse passwords, making all systems only as secure as the weakest one. Because of this, passwords are the leading attack vector used in data breaches. And enterprises have been well aware of these risks, but haven’t had a viable alternative. But change is in the air, and it’s been in the air for longer than you might think.
Leaders in a Passwordless Revolution
Few people think of our smartphones as being leaders in a passwordless revolution. Every time we reach for our smartphones, we hardly notice that they use passwordless authentication for secure access. Whether it is the latest Apple iPhones using “Face ID” facial recognition or the Samsung Galaxy mobile devices and their Ultrasonic Fingerprint scanner, these devices have quietly been changing how we authenticate. In effect, for nearly a decade, through the use of ubiquitous biometric sensors and subtle software tweaks, smartphone manufacturers have been conditioning us to adopt the mindset and habits required for fully embracing a passwordless future. These manufacturers have often positioned this as a convenience factor, but, in reality, they have been slowly making us more secure.
Apple and other smartphone manufacturers have been unobtrusively fostering this “movement” by eliminating the traditional barriers and inertia that prevented the removal of passwords. This process began with the use of biometrics in smartphones and has made its way to almost every device we interact with. In the past, biometrics were not widely used because sensors were pricey, often low quality, and awkward to implement. In addition to these business and technical issues, users were wary about biometrics for fear of sharing their private information.
Over the past 10 years, Apple and other smartphone manufacturers have pioneered the use of this security and privacy-preserving technology, which turns their devices into secure enclaves. As a result, biometrics have become ubiquitous. Today, the technology has evolved to a point where these new and improved sensors are widely available and inexpensive, making it easy and cost-effective for manufacturers to embed them into devices of every type. And equally important, the new generation of sensors, when paired with the right software are so user-friendly and transparent that consumers don’t even think twice about biometrics anymore.
Smartphone manufacturers have paved the way for passwordless authentication and have made it habitual, and now people use these methods of authentication dozens of times a day without a second thought. This access technology has evolved from a vision into an everyday reality that is moving beyond the realm of mobile devices into other forms of authentication. Now software-based biometrics, which takes advantage of the high-quality cameras used in mobile phones, can allow for cross-platform biometrics without the need for special sensors.
The FIDO Alliance has been instrumental in driving passwordless authentication. (FIDO stands for “Fast IDentity Online”) The stated mission of the open industry association is the promotion of “authentication standards to help reduce the world’s over-reliance on passwords.” The FIDO Alliance strives to improve authentication with open standards that are more secure than passwords, simpler for consumers to use, and easier for service providers to deploy and manage.
In Part 2 of this blog series, we’ll take a look at how the FIDO Alliance and other technology leaders have helped address the challenges associated with moving beyond the device for passwordless authentication.
Thanks to smartphone providers, this great functionality has gained broad market acceptance. How can you make use of it in your own applications? You’ll need to leverage an identity and access management (IAM) platform like ForgeRock. Check out Part 3 where we discuss our unique approach to passwordless authentication.