FIDO, OAuth2, and Your (almost) Passwordless Future
Most Passwords Will Be Going the Way of the Dinosaur
Since the beginning of the Internet, passwords have been, until recently, the only authorization method available. Passwords authorize access to personal data – like bank accounts, credit card accounts, Social Security accounts, and other government accounts. And passwords have been the only line of defense between us and our personal info and our money.
But that will soon change.
Password log-ins were flawed from the beginning. Not only were many people – save for those who use password managers – apt to forget passwords, but data breaches, phishing, malware, and other forms of trickery meant that miscreants could steal passwords en masse and use them to drain users’ bank accounts, rack up credit card debt, and sometimes even steal identities.
So, while getting rid of passwords – or going “passwordless” as those in the know like to say – might seem bizarre and counterproductive, it’s going to be a good thing for most of us. But right now it favors those with smartphones – and not everyone has a smartphone. Smartphones make passwordless log-in quick and easy.
No smartphone? No problem!
But if you don’t have a smartphone, don’t worry. You won’t be left out of the loop. If your laptop, desktop, or all-in-one computer has a camera or fingerprint reader, you’re in luck.
And if don’t have a fingerprint reader or a camera on your computer, you still won’t be out of the loop. you will be able to use FIDO security keys which are unique for every site and every transaction. A bit more complicated than using a smartphone, fingerprint reader, or camera to access protected sites, but you will be able to access protected sites.
Introducing FIDO
What the heck is FIDO? It’s not a dog. Did anyone ever really name their dog Fido? FIDO has nothing to do with man’s best friend, but it may come to be everyone’s best friend in the not too distant future.
According to FIDO, it is the industry’s answer to the password problem. If you love to know as much as you can everything (and that’s a good trait you know), you can read all about FIDO here.
For now, we’re going to distill the information for you into some quick “wordbites”… which are “soundbites” without the noise. Before we get on with this, you need to know that FIDO is now FIDO2, apparently, we all missed FIDO and FIDO1, and we’re now into the age of FIDO2 – just so the following makes sense. The following is from the official FIDO Alliance website.
What is FIDO2?
FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
Security
FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
Convenience
Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
Privacy
Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device.
Scalability
Websites can enable FIDO2 through a simple JavaScript API call that is supported across leading browsers and platforms on billions of devices consumers use every day.
The FIDO Alliance even has a video you can watch to learn more about your (nearly) passwordless future.
But wait… What about email passwords?
Most email clients now support OAuth2. And now you’re thinking – there he goes again – throwing out more arcane acronyms. OAuth2 is not new. It’s not an authentication method, it’s an authorization method meant to keep your email account more secure. And before long you’ll be using it with your email program. And if you’re email program does not support OAuth2, you can still use it, but you’ll need to create what’s known as an App Password that you’ll use instead of your email account password.
Yes, I hear ya! But, like a lot of technical stuff, it’s not as complicated as it sounds. These people like to use techno-speak. But really, it is as easy as following your email provider’s instructions for creating App Passwords and then copying and pasting the App Password they give you in to your email program. It’s that simple,
Here’s what Auth0.com says about OAuth2 authorization (warning the following contains some ‘geekspeak’ but don’t be daunted).
What is OAuth 2.0?
“OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. OAuth 2.0 provides consented access and restricts actions of what the client app can perform on resources on behalf of the user, without ever sharing the user’s credentials…
Principles of OAuth2.0
OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user’s data.
OAuth 2.0 uses Access Tokens. An Access Token is a piece of data that represents the authorization to access resources on behalf of the end-user. OAuth 2.0 doesn’t define a specific format for Access Tokens. However, in some contexts, the JSON Web Token (JWT) format is often used. This enables token issuers to include data in the token itself. Also, for security reasons, Access Tokens may have an expiration date…
Is your head spinning? Don’t worry it’s not as complicated as it sounds. If your email client supports OAuth2, then when you set up your email accounts in your email client, the OAuth2 authorization protocol is set up for you automatically.
And if your email client doesn’t support OAuth2 yet, you can follow the email provider’s instructions for creating an App Password for each of your email accounts that require OAuth2 authorization.
Gmail has instructions on how to create App Passwords here. Yahoo has instructions for creating App Passwords here. Outlook/Hotmail do not yet require App Passwords, but you can bet the day that they will is not far off. And if you use Gmail in OE Classic, we created one of our notoriously easy “How-to” tutorials, showing step-by-step how to use App Passwords for Gmail accounts in OE Classic that you can view here.
So, now you know that a (nearly) passwordless future is on its way and it’s coming sooner than you think. And that’s a good thing as it should stop a lot of information and financial theft and a great deal of internet hooliganism.
What do you think?
PS: Please don’t name your dog, Fido.
Wait! Before you go…Did you know?
We are supported by the services we offer and the very few select products we sell. But your generosity is what helps keep us going more than anything. We both want you to know how much we appreciate your help and how important your gifts are to our small company.
Every week we help dozens of people with their computers without charge or any expectation of payment. And we have helped many folks who have fallen for tech support scams or other scams designed to steal their money.
And we now depend more on readers like you to help keep us going. Your donation helps us to help more people with their computers and helps us keep everyone safer online.
Please help support our small business and help us to keep on helping you.
This is fascinating. I learned so much from reading this. Thank you for writing this!
Hi TC & Darcy
This is really interesting and would make life a lot easier. My question is, “Is this ready to go now – do the sites I want to go to need to be on board with this technology? Or is it just necessary for me to make the change?”
Would changing to this method make my password manager redundant?
I look forward to your response.
Many thanks
Rona Crosbie