How First Citrus Bank got rid of employee passwords

Security experts have been bemoaning the endless array of problems associated with using passwords — they’re either too easy for criminals to guess or too difficult to remember, they’re reused, they’re constantly being stolen. Until recently, there’s been no practical way to get away from them.

Even the fingerprint or facial scanners on phones, which can make it possible to log into your DropBox or PayPal account without typing in your password, don’t do away with the passwords themselves. The passwords are still there, used when you first set up the app, or needed when you want to log in from another device or browser.

Things are starting the change, however. In March, the World Wide Web Consortium (W3C)  approved the WebAuthn standard, a joint project with the FIDO Alliance, which allows for passwordless authentication on the web using authentication mechanisms such as the fingerprint reader on a smartphone. All major browsers support it, including Chrome, Firefox, Microsoft Edge and Safari. So do Android phones and Windows 10 computers.

The idea is that identity is federated. A fingerprint or photo or voice recording is stored locally, on a phone and is never transmitted to third parties. The phone uses a secure mechanism to authenticate the user and then confirms the identity to the website or application. The system isn’t perfectly secure. There are ways to hack fingerprints and facial IDs, and if the authentication mechanism is a hardware token like a USB key, it can be stolen. It is a significant improvement in security over the traditional user account and password approach to authentication.

Read full article at CSO magazine.