Password alternatives exist, but a password-free future could be slow in coming
Most people use at least slightly different passwords to authenticate their multiple e-mail, financial, and social media accounts. For some, that means dozens of passwords to remember. Anyone with an online account likely knows how frustrating it can be when you forget your password and have to reset it to gain access. And if resetting is not possible, you find yourself locked out of your account.
To make things worse, no password is totally secure — and not just from brute force guesswork. Passwords are stored not just on your device, PC, or wherever else you keep them, but also on a server that needs to authenticate them in order to grant you access. Even if you keep your password entirely safe, hackers can still attack a server that stores your password and steal it.
That’s not all. You can be tricked into giving a password away by crooks who go phishing in search of Personally Identifiable Information (PII) in order to gain access to confidential accounts and commit financial fraud or identity theft. Phishing attacks are normally launched via e-mail, text message, or a phone call.
This explains the all-too-familiar suggestions to create passwords that are long, complex, and use a combination of letters, numerals, and symbols; to change passwords at regular intervals; and to use different passwords for each online account. We are also frequently reminded to use spam filters, be careful about opening e-mail from unknown or untrustworthy sources, and about responding to phone calls and text messages.
There are some caveats
Some experts, however, caution against changing passwords frequently. Users tend to make minor changes to existing passwords and often weaken them in the process. The National Institute of Standards and Technology (NIST) no longer considers forced password changes a best practice — they did away with that recommendation a few years ago.
Many experts suggest using a password manager to enhance password security. A password manager is essentially like a locker that can hold all your passwords. You can lock it using a master key. With a password manager, you need to remember only one complex password. Password managers enable the user to generate very complicated passwords that are difficult to crack.
Password management software, however, is not totally without risk. With a password manager, all credentials tied to a given individual are stored in a single location. If you forget your master password, then you’ve lost access to everything at once. The possibility of a password container being hacked also cannot be ruled out — which would compromise all of your passwords at once.
Multifactor authentication, which involves providing other data in addition to a password can help improve password security to some extent. Other authentication factors in use are SMS-based codes, e-mail verification, and notifications asking the user user whether he (or she) is trying trying to log in. Multifactor authentication can, of course, be added to your password manager for improved security.
In addition to creating complex passwords, using phrases — typically much longer than a password, harder to crack, and easier to remember — is also in vogue. Neither of these solutions guarantees total security, but you will be more secure than those who use the same simple passwords for all or most of their accounts.
Time to shake things up?
Many security experts believe that the best way to deal with the questionable security of using passwords for everything is to stop using passwords for everything. But are we ready to do away with passwords altogether? Despite the emergence of more secure and convenient methods of authenticating access, passwords are still the primary technique of authentication.
Most people would probably celebrate having a simpler way to start their workplace computer, or access their bank account, or shop on Amazon, than being tied to a password. And password security, as discussed, is problematic at best. So why are we all still walking around with pagelong lists of passwords to keep track of?
The password is still the most widely used authentication technique because it’s easy for providers of various web services to add password capability to websites, making passwords the most extensively available means of authentication across mobile and PC environments.
Also, we’ve essentially always handled authentication this way … and change tends to complicated, worrisome, and slow. That said, it’s not like there are no other options. A lot of creative password replacements are already in use, and others are in development.
In 2004, Microsoft founder Bill Gates, speaking at the RSA Conference, observed that passwords were not capable of fully securing sensitive information and users would eventually switch to other means of authentication. More recently, the Defense Advance Research Project Agency (DARPA) had put out a request for research proposals on developing biometric authentication technology.
Today, access on some fronts has already changed. Using something we know, such as a password or a PIN, is one method of authentication. Another technique relies on using something we have, such as a token, document, or a card. A user can also authenticate by means of a biometric feature, such as a fingerprint, face, iris, palm, or voice — using something they are.
Biometric authentication is based on the unique biological attributes of an individual. This biological data is stored on a database. When a user provides his biometric identification, it is compared by a biometric authentication system to authorized data stored in the database. If the biometric features match those of an approved user, access is granted.
These authentication alternatives offer users security and convenience. They are more secure because they can’t be cracked or phished while stored on the user’s device (or on a server). Password alternatives, such as a token, or a biometric, or a wearable are also convenient because the user doesn’t need to remember them, unlike multiple passwords.
Biometric authentication is far more secure than traditional passwords because you can’t forget biometric particulars. Also, biometric data generally can’t be easily stolen or swapped, or convincingly faked — outside of movies and television, anyway.
Biometrics have been in use for some time in the military, law enforcement, public security, civil identification for elections, verification of citizens and residents, and identification of travellers, passengers, and migrants. The electronic passport is an example of a biometric-based travel identification document.
More recently, use of biometrics has increased in the workplace and in the healthcare industry. There’s been significant growth in the use of biometric authentication in the online commerce, retail, and banking industries. This will hopefully reduce the number of online payment frauds.
Another option for user authentication is FIDO, an open set of standards developed by the Fast Identity Online (FIDO) Alliance, a group of hundreds of companies across multiple industries on a joint endeavour to develop a secure and convenient replacement for passwords.
The FIDO Alliance was founded in 2012 with a mission to replace passwords with “an open, scalable, interoperable set of mechanisms” for a secure alternative means of authentication. According to FIDO, passwords are “the root cause of (more than) 80 percent of data breaches” and more than half of all passwords are reused. There’s also a hidden cost to retailers, as 33 percent of all online purchases are abandoned due to forgotten passwords.
The current standard, FIDO2, enables easy and secure access without a password. FIDO2 is secure, convenient, private, and scalable. Instead of matching a password on a server, all login credentials are stored on the user’s device, not on a server.
FIDO2 is convenient because users don’t need to remember passwords: They simply use a camera or fingerprint reader on their device, or FIDO2 security keys to unlock login credentials, depending on what suits them. Privacy of the user is protected because FIDO cryptographic credentials are unique for each online service, which means users cannot be tracked across different websites.
Windows Hello is a biometric-based method of authentication that enables Windows 10 users with compatible devices to log in using a fingerprint, facial recognition, or an iris scan. You need to have either a fingerprint reader, or an iris scanner, or a specific type of infrared 3D camera. Notably, Microsoft has also made Azure AD capable of FIDO2 password-less login.
FIDO2 use is also increasing in the mobile app segment. In 2013, Apple introduced fingerprint recognition on smartphones, with iPhone 5 being the first to have TOUCH ID. Today, many smartphones have facial and fingerprint recognition capability, and millions of users unlock their smartphones using their face or fingerprint. If you use a FIDO-enabled device, you can authenticate using a fingerprint, or uttering a passphrase, or looking at your phone camera.
Of all the passwords alternatives there are, perhaps none has gained traction as quickly as non-password-based multifactor authentication. Multifaction authentication is already markedly improving security when paired with traditional passwords. But what if written and remembered password were not a part of the process at all?
Microsoft Authenticator was developed to enable users to sign into their Microsoft accounts using their phones, and without a password. Once the username is entered, a notification is sent to the phone, which the user then approves. The second step of the verification process requires the user to provide a PIN (OK, we may still have to remember some things), face ID, or fingerprint.
To password or not to password
Experts don’t expect alternative authentication methods to become universally available in the immediate future. A major challenge here is interoperability. To replace passwords entirely, other authentication techniques need to achieve functionality across different browsers and operating systems on mobiles and PCs.
Until we do move to a password-less world, everyone will need to manage password risk in the best possible way. It’s important to adhere to robust security protocols. Using multifactor authentication is good practice. Those who struggle to remember a host of passwords might want to consider using a password manager, with additional security in the form of multifactor authentication.