Passwords are no longer a secure method of identity verification
With World Password Day on May 7, many techies are shifting their focus to security practices. Passwords have been a staple for account identity verification for years, but with passwords continually reused or becoming easier to guess, users are realizing how vulnerable the tactic can be.
More than half (56%) of IT professionals believe that eliminating passwords would improve the security of their organization. Some 54% of IT professionals said they believe that eliminating passwords would improve user convenience, according to a recent Yubico report.
"A password is about knowing a shared secret: I know something, you know something," said Jerrod Chong, Chief Solutions Officer at Yubico, which is a leading contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor open authentication standards.
However, problems arise when cybercriminals get hold of those passwords or accounts, Chong said.
The password problem
"If you just knew one password and only one other service in the entire world had this other shared secret, it wouldn't be that bad of a world," Chong said. "The problem is you have many sites or services in which you use and you reuse the same password.
"All it takes is one bad actor that reveals your shared secret, and if you reuse that password, you're going to be in bad shape because all sites that you use this password on could be compromised," Chong said.
The second problem has to do with a password being transmitted over insecure means.
"For example, if I wanted to log online to the bank, I put in a password. It's really easy for a bad site to pretend to be the bank and get the shared password as well. So now you have this issue of the transport, and being able to phish a user is super easy right now," Chong said.
Removing passwords would not only be more secure for organizations, but it would also create a better user experience, according to Chong. Passwords can be annoying, especially when using two-factor authentication, being forced to remember odd security questions, or just remembering loads of different passwords.
However, there are other forms of authentication that are proven more useful, Chong said.
"There is a proven technology that is not a shared password--it's what we call public key cryptography. [This tech] is not based on shared passwords, it's based on private public keys. This means that the user has a private key, and the entity (the service, the bank, etc.) has the public key," Chong said. "You need the combination of the private key and the public key to decrypt the information."
Continuing the bank example, Chong said that the experience is like if "the bank was doing a cryptographic handshake between the operating system that you have and the user."
This process takes the deployment aspect away from the user, so the user doesn't accidentally download malware or other malicious material. Additionally, there is no content to phish since the user isn't sending anything directly to the bank or service, according to Chong.
"No one is stealing this private key unless you went up to the user and whacked them in the head," Chong said.
"At the end of the day, it's about frictionless login that provides a very simple, easy to understand, usability for the service," Chong noted. "Passwordless means that for most people."
Biometrics also falls into the category of passwordless, Chong noted. Many smartphones use the touch ID or face ID sensors for authentication, which is intrinsically more secure than inputting a password.
The majority (65%) of IT professionals believe the use of biometrics would increase security in their organization; more than half (52%) said a hardware security key would also be a better form of security than a password, the Yubico report found.
Passwords have been used for so long that many people still resort to them out of comfortability, but passwordless is definitely where the future of authentication is moving, according to Chong.
For more, check out The end of passwords: Industry experts explore the possibilities and challenges on TechRepublic.