Will passwords continue to make sense in the future?
For many years, several promises have been communicated regarding the disappearance of passwords. In fact, this way of protecting data and accounts is mostly hated, mainly because, due to the lack of digital literacy, they are not properly chosen and, thanks to this, result in losses, since they are easy targets that they do not have enough security to bar access to the most important data.
Another factor highlighted as not very positive is the inconvenience associated with memorizing large and different passwords on different platforms. However, the consequences of using a weak password can be serious and terribly harmful.
As already highlighted by ActiveSys, breaches and theft of personal data are increasing, with the pandemic period having further leveraged these attacks. The consequent exposure of passwords compromises the digital security of any company.
While passwords are crucial to keeping everyone safe digitally, they are not very secure themselves. Without a password manager or without two-factor authentication, the task is made easier for hackers.
Currently, the way to access the mobile phone is already done in other ways, through fingerprint or facial print. Soon, it is expected to be able to apply biometric identification.
Since 2015, Google has joined forces to limit the use and the need to use passwords on Android phones. Similarly, Microsoft has proceeded in the same way, opting for alternatives, such as biometric login. However, Microsoft intends to “make passwordless access a reality for all our customers by 2021” in order to make alternative authentication methods more accessible to everyone. Similarly, in a statement shared on the official website, Alex Simons, corporate vice president of the Microsoft Identify program, noted that: “Passwords are cumbersome to use and pose security risks for users and organizations of various sizes. According to Gartner, 20% to 50% of all help desk calls are for password resets.” According to a Gartner stat, 60% of IT service desk interactions are related to password resets. This fact demonstrates that people usually forget their passwords.
When it comes to a purchase, consumers abandon a third of online purchases due to forgetting passwords and having to reset them. In this regard, a survey by Experian found that about 75% of companies are still afraid to annoy customers with the introduction of MFA, which requires users to verify their identities.
So far, most of the completely passwordless components have appeared for niche uses, although eBay has emerged as the first major site to completely do away with passwords.
An alliance was even created to encourage the use of other forms of authentication, the FIDO Alliance (Fast Identity Online Alliance), which includes companies such as Google, Facebook, Paypal, Visa and Amazon. However, this adoption has been slow. As an example, Dropbox has used this form of identification, but as a second layer of password security, and not as what was intended, which was the line of defense, the first option. Google, in turn, as a way to encourage other forms of authentication, chose to improve the isolation of websites, thus ensuring the safety of users.
Although the complete disappearance of these keywords is unlikely, they are starting to be sidelined compared to other more sophisticated, modern, safe and strong methods such as FIDO2, as can be seen by mobile phones, that when fingerprint or face print do not work, you are asked to enter the PIN.
However, the consensus is that computers and systems will still use codes for a long time as a form of authentication, in turn, users will no longer. The alternatives are password-generating applications that automatically create, store and fill in passwords, new ways of verifying biometrics and the use of physical devices.
Thus, we provide 5 technologies that will change the way we know passwords:
App authenticators are already replacing passwords. Since 2018, Microsoft has allowed you to use Microsoft Authenticator to log into company services without having to enter codes. The feature only needs to be configured once to allow new entries. All you have to do is click on a notification that arrives via phone, which, in turn, is already protected by a fingerprint or facial reading. A similar feature is already used by Google, Apple and other companies when two-factor authentication is enabled, but for now, only the Windows manufacturer allows you to use this feature without having to enter a password.
They work with any website, creating strong passwords automatically. After this step is completed, they save the codes in the Cloud and fill in login forms without having to enter any password. However, they generally still require a first login with a master password, which the user needs to know. Android and Apple already do this autocompletion, eliminating the first login, since they already have the possibility of biometric login. However, it is still necessary to know the code, before the codes are recorded in the digital safe.
They work as initiatives to eliminate passwords in the corporate environment. Some corporate networks already integrate identity servers with service providers so that with just one authentication, the employee has access to all the programs he needs, without performing multiple logins.
Already explained here, it works as a method of eliminating passwords through biometrics. However, the creators claim that they are not secure enough as the danger lies in the exposure of biometric data, such as the face, fingerprints and eyes, which are, in this way, in plain sight and can be stolen by experts hackers of the subject. Furthermore, in case of account invasion, it is not possible to change the biometrics, as with passwords. Thus, the objective of this technology is the combination of a physical key with biometric identification and also with information that only the user can know, such as a password or a phrase. This way, the process is even safer.
Brain Biometrics and DNA
One of the methods that are still being tested. Estonia is already carrying out genetic analysis programs as a means of preventing disease, and this initiative is seen as the first step towards using this technology. However, once again, there is the disadvantage that it is not possible to change the biometrics pattern in case of invasion. It is here that a new type of biometrics arises, the brain, which consists of a code created from brain waves that are generated from the visualization of a set of images. Despite being difficult to implement, since it is necessary to install a brain scanner on the device, it would undoubtedly be hacker-proof, since in case of invasion, the set of images would change.
In fact, the corporate LastPass claims that, on average, one employee manages, on average, nearly 200 credentials. However, despite typically meeting system requirements for security and complexity, they remain easy to unravel for hackers.
Until a few years ago, there was no other way to eliminate passwords from websites, applications and Internet devices, with the credentials of any individual being transmitted digitally. This, for experienced hackers, was an easy method to profitably steal passwords and sensitive documents. Today, 8-character passwords can be cracked in just two and a half hours.
Although this transformation is being employed in several companies, it will never be fully utilized as, according to Ryan from Forrester, “There are infrastructures, systems and applications where it is simply impossible to be passwordless – but organizations can start implementing passwordless systems today.”. In turn, Microsoft’s Simons says that “Passwords can never completely disappear”.
As for what is expected of the future, Andrew Shikiar, Executive Director and CMO of the FIDO Alliance, argues that “The first step is to get the password out of the user’s hands. The next step is to get the passwords off the servers. This will fundamentally change the user experience and represent a huge leap forward in cybersecurity. Companies will get out of the password reset business once and for all and improve security.” Likewise, once again, Sean Ryan suggests that “companies start converting to passwordless applications through cloud-based applications and software as a service (SaaS)”. Also, “if there is an IDaaS [identity as a service] solution based on that and using the proxy method to go back and protect the password credentials from exposure while allowing people to use a single sign-on approach, that’s no password.“
It is equally important to ensure that people feel comfortable logging in via Face ID, Touch ID, Voice ID and other biometrics. In the same vein, it is essential to provide different ways of authentication, including non-biometric methods such as a pin. For some, this can help alleviate privacy concerns.
The truth is that, although there are currently methods that allow a secondary use of passwords, it is important, regardless of any situation, to have a strong password that varies from platform to platform, so that, in this way, the probability of suffering a virtual attack, be further reduced.
ActiveSys keeps you informed and safe.