Are passwords dead? Let's talk about the future of authentication

[MUSIC] Muscles can be a pain but the best option we've got right? And may not actually be the case. This is the Daily Charge. It's Monday, March 9th. I'm Roger Cheng and with me a special guest, Steven Shanklin. And Steven youlet, our CNET package looking at the future of authentication, what did you find? Well, the bottom line is that passwords suck. We all know they suck, but they don't just suck for us. They suck for the companies that we're trying to log into banks, Facebook, Google, whoever. The good news is. There's actually a lot of work to fix passwords to improve the security that passwords use, and to actually replace them all together. So basically the computer industry is working its way out of this password hell that we all live in. Well, so look passwords. Yes, I find that annoying, but they're basically everywhere. They're ubiquitous, how do we get to a point where we can actually. Fully dumped our passwords. What are some of the technologies you encountered? Sure. So there's a lot of work that is, you know, there are a lot of technologies that are available today like some single sign on things you'll see login with Google login with Apple login with Facebook. So those are some early steps. The thing that's potentially more interesting is an alliance called Phyto. This is a whole lot of technology companies, including Google, and Apple just joined them. And they're working on technology that improves password login and eventually potentially replaces password. Login. The way that worked today mostly interesting is with these little dangles called hardware security kegs and that really makes it much much harder for somebody to bleach your cam even if they do have Have your password. And those are the technologies that actually will let us replace our passwords completely later on. So you talked a lot about these security keys. Talk a little bit about how they work and why they're so much more secure than just your simple password. All right, well, here's the deal. So this is a look at one of these security keys if you wanna check it out. It's a little USB thing that plugs into the side of your laptop or into the port on your phone. [INAUDIBLE] Connect wirelessly, and it's something you have. So when you look at the multi factor authentication, this is the idea that you're logging with something you know a password, with something you are potentially biometrics like your face ID or fingerprint ID. And then with something you have like a security key, so when you're combining the two of those three things, you have pretty strong authentication. These little security keys. This is what one looks like right here. These little security keys are actually instrumental in the login process. So they will check the website that you're using so that you can't log into fake websites with your real password, and they really make it a lot harder for a hacker to get into your account. Now I've got so I've got a MacBook Air, which annoyingly does not have any traditional USB Type A ports and for a lot of folks like the idea of carrying around a physical thing a dongle to you know up your authentication, your protection. That's kind of a tough sell like how do you how do you sort of square that with The need for security. Well, a couple points, first of all that key I just showed you is a USB A key, that's the old style USB. You can also get ones that plug into All right Your PC and this one is lightning for your iPhone Okay,, and then they also can connect wirelessly with NFC or Bluetooth. So there are other ways that you can connect Gotcha Your laptop or your phone But you're absolutely right. This is a hard sell, these things cost anywhere between $20, $70 for high end models that are fancier and you'll need at least two because you don't want to lose one or having stolen and have your account access locked. So yeah, there's it's a hard sell for a lot of people But first of all think of it like your house key, or your car key people are sought of used to that, it's not that much of a stretch for people to think, here is some important thing that I carry with me all the time. So it's not a complete Stretch to think that's [UNKNOWN] I bet a lot of people might use [UNKNOWN] But the other big answer is that newer standards from this [UNKNOWN] alliance means you can actually use your phone instead of one of these hardware security keys. Your actual phone can register As one of these keys, which means that you don't have to carry anything extra that you're not already carrying with you. I know Google's already working to or has already worked to put this in Android has Apple which you just said recently joined Fido have they asked what doesn't work with with the iPhone as well? Well, right now the apple situation is a little muddy. So with If you're logging into a website on an iPhone or an iPad, then this technology works fine as a just a few months ago, that's really very new. But logging an app is still much better on Android than it is on iOS. We don't have any official word from Apple about when they might improve that access. But my guess is it's on the way since they're a pretty high ranking member of this Phyto. Alliance now. So that's a pretty strong signal that they support this technology. So right now, it's a little bit better on Android than it is on iPhones, but the trajectory looks good here. All right, you wrote a second story companion piece about Two factor authentication. This is like the idea that you have two ways to verify that your identity and you argue that's not secure as you might expect. I've been saying for years folks like get to two factor authentication. That's the way to go when it comes to protecting yourself. But you're making me look dumb. So [LAUGH] Can you break it down? Why isn't it as secure as one might expect? Okay, so the first thing to say about two-factor authentication is, it's still way better than just a password. Okay. So it's still a big improvement, your device is still pretty good, you're not looking dumb, but- Not for this, at least, yes. But the problem is that it's still not perfect. So if you're using two factor authentication with codes, there are two ways that usually works. The first is you're getting an SMS code that your bank or somebody sends to you as a text message to your phone. And the second way is with an authenticator app like Google Authenticator, those technologies They help a lot, but the problem is that a hacker can actually intercept those codes. So what happens is the hacker will give you a fake website. You'll enter your username in there, and then you'll get the authentication code. You'll type the authentication code into the fake website, the hacker will then grab that authentication code and type it into the real Website. So basically, it's called a man in the middle attacks. Okay Basically the hacker can intercept those codes and use those codes to log in. Another problem is called sim swapping, where somebody actually gets access to your mobile phone account and therefore can read your SMS messages. That's what happened to Jack Dorsey, the CEO of Twitter. So basically These login codes are a big improvement but they're still not as good as these hardware security keys for your important accounts especially. Alright, well thank you Steven for spending time talking about passwords a feature of passwords. We're back tomorrow with more but you think many more good questions when we're off Leave us a voicemail. Yes voicemail at 286-225-05173. And if you want to learn more about today's topics, you can check the links to all today's stories in the description below the daily charge. I'm Roger Chang. Thanks for joining us. [MUSIC]