FIDO Passkey - Are Passwords Gone?

User authentication is the most unsolved problem of the Internet today. For 30 years we have been lost in the passwords jungle. Hardly anyone understands and is able to navigate this jungle. We give our passwords left and right, lose them, recover, use 2-factor authentication on a single device and so on. Web service providers are trying to get more and more sophisticated which works very often against them.

So is all hope gone?

Maybe not. The three Internet giants, Apple, Google and Microsoft, have just announced to "Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins". Which sounds promising, but personally I'm a bit hesitant to call it a victory.

What is good is they declared they wanted to work together on an open standard and cross-platform support for it. That is very good news. Because regardless is so-called FIDO2 will technically meet the challenge, with the commitment of the big 3, there clearly be FIDO2+ or FIDO3, which will ultimately solve the password mess and lead us out of that jungle.

Reading the currently available specifications and observing the existing practices, I still have some technical doubts on the FIDO2 approach itself. FIDO2 relies on the proximity of a second trusted device (a phone) connected over Bluetooth to the web browser (on a PC) which is establishing the secure / authenticated web session. Sounds great on the surface. But there are some "buts":

1. Bluetooth does not equal proximity. First of all it can go over a substantial distance - a few hundred meters. So consider an airport or a conference venue. Or even an office building. Are you the only person in proximity of your computer (in Bluetooth terms)? Certainly not.
2. Bluetooth's Achilles' heel is starting a connection. Bluetooth basically has two modes of operation: connection-less and connection-oriented. The connection-oriented mode is most broadly used by computer accessories. The problem is that starting a Bluetooth connection takes time and has a significant failure rate. This is because the radio packet that initiates a connection is sent only once and may easily be lost in transit. And there is a fairly long timeout which must expire until a second attempt is made. Your keyboard or mouse - once connected, is working flawlessly. But every Bluetooth mouse or keyboard fails to connect once in a while, leading to a frustration. This is BTW why Bluetooth mesh does not use the Bluetooth connection-oriented mode - sometimes it just fails to start.
3. Relay attacks. They are really difficult to protect against and the vanilla Bluetooth (version 5.3 at the point I'm writing this) has no protection against relaying a radio signal. Many devices, including proximity - activated cars, don't either. See YouTube on how easy it is.
4. Single device. What if the web page that wants to authenticate me is opened on my phone. Is the same phone considered a proof of authenticity? That seems a bit stretched, although this is how it works today. I have this comedy almost every day when I top-up my prepaid Revolut card (an app on the phone) with another bak's credit card. The Revolut app relies on Visa's "3D Secure", which triggers a notification which goes to the bank's app ON THE SAME PHONE, where I click "yes". All is protected just by my fingerprint. Hardly a 2-factor anything.

But yes, I believe the 3 companies and FIDO itself are aware of the challenges. So even if the passwordless future does not start tomorrow, it is good to see there are FINALLY signs somebody has become serious about the problem.