Last Friday, Samsung's new Galaxy S5 arrived with an unexpected and underhyped feature. Like the iPhone 5S, it came with a fingerprint reader, but this reader plugs directly into PayPal, which in turn connects you to dozens of different payment systems. It’s a clever trick: instead of a password, all you need is a fingerprint, carrying you through the entire web. If it catches on, soon you won’t need a password at all.
This moment was carefully planned
Of course, the S5’s fingerprint scanner might fail — by all accounts, it’s far from perfect — but that won’t be our only chance. Google is working on USB keyfobs that would log users into their Google accounts; they’re being tested internally, and should roll out before the end of the year. Microsoft wouldn’t name specifics, but also teased an "alternative to passwords" that’s based on the same spec.
If Samsung strikes out with the S5, it can try again next year
It seems like good luck, all the companies arriving at the same moment at the same time, but it’s just the opposite. This moment was carefully planned, built on top of a delicate standard that’s taken two years to construct. Since 2012, a group called the FIDO Alliance has been working on that standard, building a bridge between hardware projects like Samsung’s fingerprint reader and the online services they’re connecting to. The work has been helped along by some of the most powerful names in the tech and finance, Google and Microsoft together with Valley outsiders like Bank of America and MasterCard. The nature of the spec makes it easy to plug into, so if Samsung strikes out with its fingerprint scanner, it can try again next year with an iris scanner or an NFC token.
It’s a plot to kill the password, one that’s taken years and millions of dollars to set in motion. And with the launch of the Galaxy S5, the first major phone to embrace the FIDO spec, the plot is underway.
The password's billion-dollar problem
The problems with the password are obvious. The login system was first designed for time-sharing computers in the ’60s, working on mainframes that took up an entire lab. To use the computer, you tapped in your login name and password, which told the computer who was sitting at the terminal and which files to make available. Stealing someone’s password was good for a practical joke, but not much else: there was only one computer where you could use it, and not much personal information on display once you’d broken in.
The right password can get you almost anything
50 years later, the right password can get you almost anything. You can read emails, order a new TV, or hijack cloud-storage accounts until you’ve accessed or deleted every trace of a person’s digital life. You can do it from anywhere with an internet connection — effectively anywhere in the world — and it’s easy to hide where you’re doing it from. You can get the password from a data breach (most people still use the same password in multiple services) or just socially engineer a customer-service rep. It happens all the time. These hacks are personally devastating, and cost businesses billions of dollars every year. Two-factor authentication helps, splitting the password between two different systems and devices, but it's far from perfect; in the end, it just means attackers have to crack two codes instead of one. No matter how you try to fix it, you run into the basic insecurity of the password at the root of it all.
Google signed on in April of last year; Microsoft followed in December
Around 2010, PayPal decided to do something about it. It started with a conversation between PayPal's head of security Michael Barrett, fingerprint security entrepreneur Ramesh Kesanupalli, and Taher Elgamal, the father of SSL and one of the most renowned cryptographers in the world. Kesanupalli wanted a new standard for fingerprinting, something that would let his print readers be used without an expensive database. Barrett wanted a stronger, easier way for PayPal to log in, and Elgamal, with his legendary cryptography background, was clearly the man to build it. Two years later, the group launched the FIDO Alliance, an open group trying to wean companies off passwords for good, funded by companies who thought they would benefit. The group launched in 2012 with PayPal and five hardware companies, but grew fast. Google signed on in April of last year; Microsoft followed suit in December.
The alliance is built on a simple, powerful idea. If web-goers logged into their computers with local fingerprint readers, sites could log them in automatically using a technique called Zero-Knowledge Proof. It’s a protocol for proving that a successful ID has been made, like a fingerprint or iris scan, without giving away any details of the fingerprint or iris in question. (It means that, in a Heartbleed scenario, attackers wouldn't get access to your actual fingerprint.) Using that protocol, a single local device could authenticate you to the entire web. In the age of the mobile web, you might not even need a new gadget. "Users have very high device affinity, and they tend to have devices with them a lot," says Barrett. "I’m looking around my office, and I’ve got within 5 feet of me, a smartphone, two PCs, and a tablet."
"We believe longterm that it needs to be built into ... your smartphone."
This is what we’ve seen on the S5: you’re not just using your fingerprint to log in, but a combination of the right fingerprint and the right phone. You’ve always got a finger and a phone, so logging in isn’t a problem, but the combination makes the security much, much harder to break. Either one can be duped individually (your phone could be stolen, your fingerprint could be copied), but duping both at once would be incredibly difficult.
And using Zero-Knowledge Proof, that authentication can be shared with any service you want to log into, whether it’s using a remote code or something more direct like NFC. It’s a line of thinking that’s also taken hold at Google. Mayank Upadhyay, the Googler directing the company’s authentication efforts, sees the keyfob as just the first step, moving towards a time when every login happens on a mobile device. "We believe longterm that it needs to be built into the thing that you're already carrying, which is your smartphone."
The Touch ID problem
Apple could still be a major problem for FIDO
While FIDO has some powerful supporters, there’s one name that’s noticeably absent: Apple. The iPhone 5S’ Touch ID is still the most usable mobile fingerprint scanner we’ve seen, and it’s kept its distance from FIDO. The company behind the hardware, AuthenTec, dropped out of the consortium as soon as it was acquired by Apple, and since then, Apple and FIDO have developed their tech separately. While FIDO has kept their spec open, Apple has taken the opposite approach, keeping Touch ID closed off even from iOS developers. The current version of Touch ID can only be used to unlock the phone and log into iTunes, and it’s unclear how or when it will open up further. It’s a walled garden, and with the full force of the iPhone behind it, it could be a serious roadblock to FIDO’s plans.
"Like water, they flow downhill."
But even if FIDO loses the battle for fingerprints, it could still win the larger war of authentication. The open standard makes FIDO easy to plug into, so if Samsung decides it wants to shift from a FIDO-compliant fingerprint scanner to a FIDO-compliant iris scanner, it would be as easy as swapping out the hardware. On the service side, PayPal never needs to know the difference. While the iPhone is locked into fingerprint-scanning for the next few generations, the rest of the industry can use whatever works. At the moment, that means eye scanners and USB keys, but it also means making room for tech that hasn’t been invented yet, like DNA scans or biorhythm markers. As long as the standard is open, it can accommodate anything.
They could still be wrong. The new generation of ID systems could flop, leading to a mass retreat and another 15 years of leaky logins. Consumers might find fingerprints and eye-scans creepy, or push back against the idea that they can’t log in from a friend’s computer. Like most ambitious schemes, it’s a bet — and there are dozens of reasons it might not pan out.
In the end, Barrett’s bet is that the new systems will just be too easy to pass up. What’s a fingerprint or a USB key, weighed against 30 passwords? Who could turn down an easier way to log in? FIDO might want something safer, but customers just want what’s easy. "Like water, they flow downhill," he says. "They flow to the point of lowest friction."