Ditching Passwords: FIDO & SQRL

Everyone hates passwords. They’re the bane of our modern digital lives. Password managers have allowed us to create truly strong passwords, unique for every single one of our dozens of accounts. This was a big improvement and still the method I recommend for most people today. But the hope is still that someday we can find something better. Today I’m going to tell you about a couple promising options: FIDO and SQRL.

FIDO & SQRL

How Did We Get Here?

Why do we have passwords in the first place? When computers (and therefore computer accounts) were first created, there was no graphical user interface – there wasn’t even a mouse. The one thing you could count on having was a keyboard. And so to prove to the computer that you were who you say you were, we used alphanumeric secrets (aka passwords).

Who Are You?

Authentication mechanisms usually come down to one or more of the following methods:

  1. Something you know (password, PIN)
  2. Something you have (badge, cell phone)
  3. Something you are (fingerprint, face pattern)

Single-factor authentication would require just one of these; two-factor auth (2FA) would require two. That second factor adds a significant improvement in overall security (and you should use this wherever you can).

While most people think “something you are” is the Holy Grail (you can’t lose it or forget it!), it has several problems as a primary form of authentication. For one thing, it’s really more of a user ID (identification) than a password (authentication). That creates serious privacy issues. Second, you can’t change it. We’ve already seen how fingerprints can be copied from pictures and printed to fool scanners. Fingerprint databases have been stolen, as well.

There are two technologies that show some real promise as password replacements, however. They’re not new, but you’ve probably never heard of them. Like any good security standard, it needs years of careful development and vetting before coming into common use.

FIDO (Fast IDentity Online)

Several major tech companies have been working on a standard method for replacing passwords. This collaboration produced FIDO, or Fast IDentity Online. How it works is very technical, but let me use an grossly oversimplified analogy to describe it.

I create a unique question with an answer only I could know. I give you the question – but I also give you the answer, locked in a box using a key that I keep well guarded. In the future, I meet you again. You ask me the question and give me the locked box. I unlock the box and read you the answer. Because a) I was able to unlock the box, and b) gave you the right answer, you believe that I am the same person who gave you that box in the first place.

Why bother locking the answer in a box and giving it to the other person to keep? Because FIDO devices don’t have much memory. They can’t physically hold all the answers for every site.

This standard is being used by some large companies and people who are big hacking targets, but the hope is that it will catch on for everyday users. The standard recently got a big boost when Apple joined the FIDO Alliance board. You can actually use it today, if you want: see YubiKey and Titan.

The main downside to FIDO is that it’s locked to a single device. This device is usually a little USB dongle that you can plug into a computer or sync wirelessly with a smartphone. But what if you lose this device or someone steals it?

SQRL (Secure Quick Reliable Login)

SQRL (pronounced “squirrel”) works similarly to FIDO, with a couple key differences. First, it runs as a software application not a physical hardware key. Your vault is protected with a password or biometric lock like FaceID or TouchID. This allows it to be run on and synchronized to multiple devices (computer, smartphone, tablet). SQRL also has a way to revoke your identity in case you lose control of one of your devices.

Second, SQRL doesn’t require the website to remember anything (no locked boxes containing answers). SQRL generates its answers based on a combination of the question and the official name of the website. This means that your password can’t be stolen by hackers in a data breach. (Though anything else they store, like credit card numbers, could be.)

SQRL was created originally by a single guy (Steve Gibson) and has just been finalized with the help of several devotees. It will be free and open, though it remains to be seen if it will be adopted (and perhaps folded into the FIDO standard).

Bottom Line

Both of these mechanisms replace passwords with computer-generated secret keys that are WAY better than any password you could make up (and probably even better than a password manager could generate). The keys are held in a super-secure vault on some device you have to keep with you.

There’s a long way to go before FIDO or SQRL will replace passwords for the average Joe. But these technologies show promise and could be welcome relief for people who hate dealing with passwords. However, at the end of the day, passwords are still the only universally accepted method of authentication. When generated and stored using a good password manager, and combined with 2FA, they’re very secure.

Liked it? Take a second to support Carey Parker on Patreon!