What a password-free future will look like

What a future without passwords might look like

Lesson summary

Hi there everyone, it’s Jeff and this is Plain English lesson number 461. JR is the producer, and he has uploaded this full lesson to PlainEnglish.com/461.

Coming up today: What would a world without passwords look like? The FIDO Alliance has the answer—at least, it has published the broad outline of how this will work. It’s up to the tech companies to implement it. But for the first time, the real solution to ditching passwords appears to be in view.

In the second half of the lesson, we’ll review the English phrasal verb “pass along” and JR has a song of the week. Let’s dive in.

Toward a password-free future

On Monday’s lesson, you learned about the FIDO Alliance , a group of technology industry leaders. They’re all working together to improve authentication, the process of verifying your identity online and on devices. And last month, they released the technological blueprint for a future without passwords. If this comes to pass , you might never need to generate a password, use a password manager, or reset your password ever again.

Is this too good to be true? It’s still possible that something will go wrong. But the biggest players in the industry, including Google, Apple, and Microsoft, are convinced that this time it’s true. The plan announced by FIDO has a good shot at success.

I couldn’t explain all the technical details even if I wanted to, but here’s the main idea. Almost everyone has access to a smartphone, and smartphones have biometric authentication built-in. Users can open their phones—and verify their identities—with a thumbprint or with facial recognition. New computers have biometric verification, too, so anyone can use their thumbprints or faces to log into any computer they have permission to use. This is far more secure than just a password. To date , though, this added security only applies to opening a phone or computer; once we’ve opened the device, we have to rely on passwords to access other sites.

The new technology would let the operating system on your phone, computer, tablet, watch, or other device pass along authentication to the other sites you use. If you work for a big company, you might have heard of something called “single sign-on,” where one login unlocks a suite of services. This new authentication would be something like that. You sign onto your device with biometrics, and your device’s operating system will verify your identity with apps and external websites. In this way, none of your personal data is passed over the internet and into the servers of an external site, so none of your data can be stolen in this way.

Gone, then, would be the days of needing a password to use the PayPal app, a password to use your bank, a password for Spotify, a password for Plain English, and so on . Your passwords would never be stolen; you would never have to reset your password. If you ever have to use a shared computer, like at a print shop or a hotel lobby, you can log into your services with a thumbprint, without worrying that your password would be skimmed by the computer.

One thorny issue has been the replacement of devices. Let’s say you log into your Android phone and that single login provides access to all your other apps, without a password. Now let’s say you lose your phone. The thief won’t be able to access your data; he won’t have your thumbprint. But if your phone was the way you accessed all your other services, then you’re out of luck.

This was the final piece to come together. The FIDO researchers figured out a way to use Bluetooth to securely pass authentication along from one device to another. So go back to the example where you lose your phone. Now let’s say you log into your computer using your thumbprint. You can use Bluetooth to pass your authentication along from your computer to the new Android phone that arrives in the mail. Voila: in replacing your lost phone, your security wasn’t compromised and in just a few minutes, your new phone had all the apps you previously used. You can get on with your life.

You would follow the same process any time you get a new device, whether that’s a new computer, phone, tablet, watch, whatever. You would take a device you’ve already authenticated, and pair it with the new one.

But wait, you might be saying, what happens if you only have one device? That is one of the roadblocks to the new system. Many people have only a smartphone, so if they lose it, they’d also lose access to all their services until they could re-authenticate themselves on a new device.

There are also a lot of old devices that don’t have any type of biometric security. We’ve all had to go to a print shop, for example, or the computer in a hotel lobby. It will take a while for all the computers in the world to be replaced with ones that have effective authentication. And think of all the computers in all the businesses around the world: how many are still on Windows XP? All the operating systems would need to be upgraded for this to work one hundred percent of the time.

And that could be the biggest difficulty in transitioning. If this new technology can’t be used one hundred percent of the time, then passwords will persist as a backup way to authenticate users. And if passwords are always an option, then the average user might be too lazy to change, since they can always fall back on the tried and true system they know.

The new scheme also won’t eliminate all security vulnerabilities. For example, instead of having to trust dozens of services with small parts of your online life, now you’ll have to trust the platforms—Microsoft, Apple, and Google—with every part of your online life. That will be a net improvement, but not a silver bullet: no technology is perfectly secure. There will be fewer breaches, but if any vulnerability is exposed, the cost will be higher.

Second, the user interface has to be easy to use. While the underlying technology may have been sorted out with the FIDO research, it’s up to technology companies themselves to implement the new security in a way that doesn’t frustrate consumers. This starts with the operating systems like Windows, Android, and iOS, but it continues to all the consumer sites and platforms we use each day. If it’s hard, ugly, time-consuming, confusing, then people won’t do it.

Sign me up

I trust Apple to make this a seamless, user-friendly process; I’m not so sure about Microsoft. Microsoft always finds a way to build in an exasperating step that makes no sense.

I will be an early adopter of this; nothing drains my energy more than having to re-set my password. I have Windows 11 now, on my Plain English computer, and I’m going to start exploring ways to use biometric authentication. Microsoft, for example, announced that you can now log into all its services—Office online, Outlook online—without a password. I’ll let you know how it goes.