THE LONGER YOU SPEND on the internet, the more inevitable it is that your password will get stolen. The best case scenario there is that you reset the password and move on with your life. The more likely outcome is you have to spend a tedious evening figuring out everywhere that password was reused and changing those, just in case.
It's why we strongly advocate using a password manager, but a better solution would be ditching the password altogether. That's not something you can do unilaterally, mind, which is why the latest news from Google Android is quite exciting: the latest version of Google Play Services is adopting FIDO2. That's an open standard from the FIDO Alliance which is looking to replace the password with biometrics or a PIN.
You may well have seen similar already if you've enjoyed the simplicity of logging into a banking app. As well as killing the need to remember a long and growing list of passwords, wide adoption of the standard has another benefit: data is authenticated on the local device and not transferred elsewhere, meaning that the worst effects of a data breach should be dodged.
"The important, often overlooked, part of this technology is actually not allow users to use biometrics to sign in, but rather moving authentication from a ‘shared secret' model - in which both you and the service you're interacting with needs to know some ‘secret' like your password - to an ‘asymmetric' model where you only need to prove that you know a secret, but the remote service doesn't actually get to know the secret itself," Christiaan Brand, a security product manager at Google told The Verge.
"This is better in many ways, as a breach of your data on the server side doesn't actually reveal anything that can compromise the keys you use to access the service."
That's also handy for the services themselves of course. Because if they adopt FIDO2 too, then a breach likely makes them a hell of a lot less attractive to hackers looking for a password bounty.
Android users running version 7.0 and later of Google Play Services will be able to use their fingerprint on supported apps and services. If your device doesn't have a fingerprint reader, a PIN or swipe pattern can be used, though obviously, that's easier for someone to steal without surgical tools. µ
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked