The FIDO Alliance wants to use smartphones as a true mobile authenticator, but the proposal faces some obstacles.

For more than 10 years, the FIDO Alliance has been working to end password dependency. Now, the group has a new proposal in mind that enlists smartphones as roaming authenticators to sign into any account on any device, thereby leaving passwords in the dust.

But to take off, the concept needs cooperation from software providers, developers, and other industry players, presenting a challenge on its road to reality.

Comprised of more than 250 companies in technology, healthcare and other sectors, the FIDO Alliance has long touted its password-less FIDO/WebAuthn specification, which relies on mobile devices, smart cards, and physical security keys as authenticators to log into accounts.

The group has even worked with member companies such as Microsoft, Google and Apple to integrate this type of technology across their operating systems.

The facial and fingerprint recognition capabilities built into Windows, iOS, and Android are based on FIDO2 standards — they obviate the need to use a password to sign in. The problem is that this type of password-less authentication is far from universally adopted. Unless all websites, applications, and accounts support and incorporate such a standard, people will still be dependent on passwords.

"I don't think the option of using passwords will disappear any time soon, but alternative forms of authentication already exist in the mobile world, such as face scans and thumbprints," said Tim Hinrichs, co-founder and CTO of Styra. "The real question is whether we see the option of password-less authentication working for web applications in the near future."

Sunsetting passwords

In a white paper published in March, the FIDO Alliance outlined a framework that would turn smartphones into a universal authenticator, a process that it believes could simplify password-less options and finally signal the death knell of the password as it is known today.

Smartphones already serve as conduits for two-factor authentication (2FA) whereby users receive a text or other notification to confirm a request to log into an account. But a 2FA notification sent via a standard SMS message is susceptible to phishing attacks.

To be effective, a password-less authentication method must be secured against phishing and other threats, it must be able to seamlessly follow users around from one device to another, and it must be supported and adopted universally by technology providers and consumers. FIDO's idea at least meets the first two criteria.

Under the group's proposal, a smartphone would store the necessary FIDO authentication keys to confirm user identity without the need for a password. Using Bluetooth, the smartphone would transmit the necessary FIDO credentials to the computer or other device to allow account access.

The method would turn phones into a type of smart card or security key, allowing users to log into any of their accounts on any device. Since Bluetooth requires a certain physical proximity, this technology would be resistant to any phishing attempts unless the phisher was sitting nearby.

While claiming that the new "FIDO-based secure authentication technology will for the first time be able to replace passwords as the dominant form of authentication on the Internet," the alliance did acknowledge that challenges exist.

First, this method of authentication would require buy-in from all the major industry players. Operating system providers such as Microsoft, Apple, and Google would have to implement this new type of FIDO technology in their respective platforms. Browser makers, website providers, and app developers would have to support this new standard as well. 

"FIDO Alliance's core purpose is to drive industrywide collaboration in development and adoption of open standards for simpler, stronger authentication," the FIDO Alliance said in a statement to Cybersecurity Dive. "Fundamentally, we want to encourage more service providers to move towards passwordless logins – which companies like Microsoft and eBay have already enabled for hundreds of millions of consumer accounts."

Aaron Cockerill, chief strategy officer at Lookout, said he believes the FIDO Alliance can simplify and strengthen authentication, however, the actual execution of such a standard would rely on collaboration among different entities.

"OEMs need to make use of a standard possible, software developers need to use those standards, and enterprise/consumer systems need to leverage them in their business practices," Cockerill said. "Unfortunately, everyone implements standards differently, which has made the area of authentication very complicated."

The question is whether the FIDO Alliance can rally the necessary industry players to take this idea seriously enough to at least try it out.

"If the FIDO team can convince a couple of key stakeholders, such as a browser vendor, an operating system provider, or an application suite, to trial the work, the proposed idea could snowball and eventually take off," Hinrichs said. "However, that takes a lot of coordination, time and resources."

Even more difficult, though, will be convincing people to try something new. Passwords are so ingrained that switching to such a novel form of authentication would demand a change in mindset on the part of consumers, who are typically resistant to change.

"The problem with replacing passwords is adoption," said John Bambenek, principal threat hunter at Netenrich. "Passwords are easy and cheap, and since consumers like easy and cheap, that's where everyone defaults. Ultimately it comes down to what end users will do and, when push comes to shove, they'll take easy and cheap over complicated and secure."