I know I am late for the show (World Password Day was yesterday), but I had no access to the machine I usually write on, so I’ll get this off my chest now. I will illustrate my complaints about the proposed system, as well as potential solutions.
Microsoft, Google and Apple have recently announced their great new scheme of abolishing passwords. Their ultimate goal appears noble at first: If you have a smartphone, you no longer need to remember your passwords! When you try to log in, your device will do two things:
- The laptop/computer will search via Bluetooth for a smartphone listed as being yours
- If the device’s MAC address is found, your phone receives a push notification asking if it is you who is trying to log in
- If you push yes, your phone authenticates you and you’re on your way to the latest memes
Sounds nice, right? If I told my dad that he’ll never need a password, it would be a dream come true for him! Everything comes at a cost, though, and I will do my best to explain my issues with this setup.
The first issue is obvious to anyone who read the previous point. If I need my phone to authenticate me to a service, but my phone runs out of battery, as it often does, I’m out of luck. I have a confirmed story of someone being locked out of their car due to a dead phone battery. If only there was a device that runs on long-run batteries and serves only the purpose of opening cars!
“Just charge your battery!” I hear you cry. That is true, I can charge my battery, and with modern phones charging as fast as they do, in 3 minutes, I can have the issue remedied. What you cannot remedy in 3 minutes, however, is an unexpected wash and rinse for your phone or an unscheduled drop test. What if your phone takes a dive in the toilet or lands on a unfortunate bit of pavement, cracking your screen? With one fell swoop, you are immediately locked out of all your accounts (including the Amazon account you’d buy a new phone with).
To develop a secure phone-as-the-only-factor setup, we would need the device to adhere to strict security standards. Unfortunately, what Microsoft and Google seem to have missed is that not all people have the latest Pixel 6 Pro running stock Android 12. Most people I know are on Android 11 or 10, sometimes even Oreo, and why? Their phone is working and they do not want to switch. Am I supposed to expect Android to say “Hey, corporations, we know you’re not pushing our security updates since 2019, but could you push this one update that enables the phone to be used by old Mr Jenkins to log into his Facebook account?”
Knowing corporations, which is more likely? Pushing updates to end-of-life devices, or pushing people to upgrade their devices? I think the answer is clear.
Moving from phones themselves, let us talk some more about the OS. Android gives users the option (if the stars align) to install custom ROMs. These not only need the bootloader to be unlocked, but also enable users to get rid of Google’s bloatware. I have a phone like that, degoogled LineageOS, and I am happy with my setup. One thing I love about it is the lack of push notifications. Yes, you read right, I like not getting push notifications on every twitter post and e-mail I get. Consciously checking my e-mail allows me to focus fully on work when I need to.
If I can’t get push notifications from Google, how am I expected to get the notification asking me to confirm my presence?
Would you believe me when I say I turn off my Bluetooth when not in my car? Call me crazy, but I do. “Bluetooth beacons” exist and are widely used in marketing. You walk past a billboard or walk into a store, and suddenly, your phone knows exactly what products are you browsing to push discount coupons or targeted ads when you walk home and turn on your computer.
In short, if you have Bluetooth on, chances are you will magically see products you look at in a physical store, without even mentioning or searching for them beforehand.
With this in mind, let us say that you keep Bluetooth on because you don’t mind the ads that much (or use ad-block) and Bluetooth is useful for those dank earphones you really love. Okay, reader, yeah okay, but I just can’t imagine that being my future. One more thing: If this idea goes live, now it’s not only marketers who will see your device and push their shit. It will be every laptop with Bluetooth on, just in case that a user wants to log in and needs a proximity check.
Apple already uses every iPhone nearby to run their AirTag network, do we want Windows to collect all data all the time from Bluetooth?
Speaking of Bluetooth…
Mine doesn’t. And I guess unless you need it and bought a USB dongle, you don’t have the capability to use Bluetooth. Simple, right? This issue may be solved by using a different connection. Why not check the public IP of the phone? If they have the same public IP, they can be assumed to be on the same network, and a notification can be pushed. This may be as reliable as Bluetooth, however we lose the beauty of Bluetooth MAC addresses.
In case my passwords get leaked and I catch wind of it, I believe we can all agree that the first thing to do is to change the password. However, how will you change your phone if it gets stolen? Oh, simple, you just log into your account and… oh, wait.
Something you know cannot be stolen, barring rubber hose cryptography (where you beat the password storage with a rubber hose until they cry and tell you the password). A phone? Those get stolen every day! And if you have your phone unlocked at the time it gets stolen, you’re no less than fucked. Sure, there is supposed to be a PIN, passcode, or biometrics, but will that PIN be that difficult to guess?
If you have a secure password on your phone, you probably don’t need this new no-password approach.
Now that I have spent about 1100 words bitching about passwordless issues, I wouldn’t sleep well if I did not propose some solutions and improvements on the current password situation.
Passphrases are better than passwords. That much has been said so many times before that it’s not worth re-addressing (check out my post if you want to know more). But to shorten it down:
- A simple, alphabet-only passphrase will be more memorable than random characters
- A passphrase will usually be longer than random characters
- A passphrase may be harder to crack than a random passphrase (depending on length)
If users get more accustomed to passphrases, it’s immediately going to be better than short passwords. Furthermore, password managers can be a life-saver, because you only have to remember the passphrase for that!
To close this: Use a passphrase, use a password manager.
The second improvement may sound ironic, but MFA should be a must-have, be it text message, 2FA application on your phone, or anything else. These have the exact same issue as the solution proposed by Google, Apple and Microsoft, but there is a better solution: a USB dongle.
If you have used something like a Yubikey before, you know what I am talking about. It’s a simple USB key with a button. To authenticate to a website, you just plug it in, put in your password, and when asked for the second factor, you push the button. The key confirms your presence and authenticates itself securely to ensure only your key can unlock your accounts.
This is precisely everything that the big boys want: Authentication that is based on what you have, not on what you know. There is also the added benefit: something like a Yubikey never runs out of battery. It’s just a USB drive! Moreover, it can also be used with NFC, so your phone can get the benefits of 2FA without actually having a full-sized USB port!
You can also clone your Yubikey and have a backup, in case one gets stolen/lost/misplaced! There is also almost no way a Yubikey can be remotely hacked, since it has no modem/wireless chip. Combine that with a passphrase (not even a long one at that point, to be honest) and you can rest quite easy.
The FIDO2 standard, proposed by the FIDO alliance and W3C (World Wide Web Consortium) is what this new standard would be based on. That is all well and good, if only more sites used it. Only one bank I know uses hardware keys for second factor, and that goes only for corporate bank accounts.
How does Google expect me to take their proposal seriously? Will they force my bank to stop using a proprietary app that I cannot use without Google Play Services and replace it with their own proprietary standard I cannot implement on my own?
This has been my late-night venting on a few things I think of Google, Microsoft, and Apple. This post has been written on a Linux laptop, pushed to a Linux server, and tweeted about on a degoogled Android phone. You make up your mind what I think of those companies.