Finally. Finally, formal standards have been published from the FIDO Alliance, whose aim is to do away with passwords through the use of techniques such as two-factor authentication and USB devices, and whose members list reads like a who’s who of big names: Google, Microsoft, Bank of America, Alibaba, ARM, Qualcomm, PayPal and Samsung, among many others.

I have been tired of passwords from quite some time, as you will or already have learned. Not only are you expected to have different passwords for everything, you are expected – in what I feel is the most repellant, counterproductive IT policy of all time – to change them every 90 days or so. Not only that, you can’t change them to something similar to the past five password you have used, and they have structural requirements involving length requirement, letters, numbers, it goes on and on and on. The result is that we end up re-using passwords that are easy to remember. Don’t believe it? Here you go:

Bad passwords

It has been clear that passwords have been cumbersome and ineffective for quite some time. and as they have become more troublesome, more difficult to manage even when using a password manager such as KeePass, more restrictions and requirements have been placed on them, tools have been developed to supersede them. We have biometrics such as fingerprint readers, we have devices that display a unique number every time you log in.

Two-factor authentication uses two of the factors that are generally accepted as identifying a person: Something you know (e.g. password), something you have (e.g. App that displays a code), something you are (e.g. Biometrics). By combining two of those, it is considered a robust means for identifying an individual, much more so than just one factor. A biometric device coupled with a number-generating token would be great.

The FIDO Alliance has such high-powered members that I feel I can finally see some light at the end of the password tunnel, and some of its members are even saying the days of passwords are coming to an end. This standardization, I’m hoping, has real weight behind it and we can perhaps start thinking about if not phasing out passwords, at least having other options.