How far are we from a password-free world?
The Internet without passwords seems like a bad joke. The use of passwords has been deeply linked to account security for years now. It can even be challenging to imagine another way to access an account.
Passwords predate the internet by at least two thousands years. Secret societies used certain words or phrases to restrict entry to insiders only. Knowing this secret was enough to enter, making stealing it, making an insider tell you or deducting it extremely valuable. Secret passwords continued to be used throughout the ages, in bars, cults and intelligence services, until the age of the internet.
Such an archaic method of identification cannot be flawless.
The problems with passwords
With the ever increasing capabilities of our computers and networks, most interactions on the internet appear instantaneous. This is great for user experience (UX) as users don’t want to wait fifteen minutes for their bank webapp to load.
With this problem solved, the biggest hurdle faced by every UX designer is the “logging in” process. Indeed, the use of a username and a password is straining for the user.
First, users need to create a password. And not any password, a “strong” password, which often entails a string of requirements that are annoying at best, useless at worst.
Most services now require a minimum number of characters, some complexity (numbers, letters, special characters…), while forbidding some words. And once the user finds a password that corresponds to such requirements, they will have to change it periodically.
Then, users need to remember their password, knowing different services have different requirements which often leads to different passwords. While this sounds good from a security point of view, it is really bad for UX.
This is clearly a bad way to handle such a process, leading to repeated “I forgot my password” procedure. Even worse, passwords are nothing less than insecure!
Indeed, the username/password combination, while easy to understand and set up, is deeply flawed. Let’s take a look:
The password is entered on the user machine and sent on the network to reach the service server, that will check its database. Several misconfiguration on the network could lead to the password being leaked (keylogger, proxy, man-in-the-middle attack…). And this can happen every time the user logs in.
That’s not all, the passwords need to be stored in a database in order to verify it. This means accessing a service database can lead to huge password leakage, stories of such being reported on the news on a daily basis. While passwords could be stored in a way that makes them impossible to crack (through salted hashing algorithms), it is not always the case. Sometimes, passwords are still stored in cleartext.
Now, what about human error? First of all, we are not great at generating random passwords (that is why some browsers create them for you). Indeed, since we know we will need to remember a password, we need to make it understandable by humans. This is why some list of “most used passwords” are very easy to find. For a totally random generator to output “qwerty123” would be almost impossible, while humans are sure to be attracted by such an easy to remember password.
Second of all, even if the user does not use an usual password, they will be afraid to forget it and use some kind of method to store it. Stickers, text files on the Desktop, password notebooks… This is obviously a bad way to protect a password, as pretty much anyone can access it.
Finally, and without a doubt the biggest problem, is our tendency to be fouled. Phishing attacks are spreading more and more each day, while social engineering gets more precise. You can have a randomly generated password with 100 characters, if you give it willingly to an attacker, it does not do much for your security.
Passwords are inconvenient and flawed. The level of complexity keeps increasing, generating annoyance for the users, for little benefits to security.
The future of passwords
Regarding the first issue at hand, new recommendations have been announced by the NIST, in order to improve UX and not security. Indeed, if the technology is insecure either way, let’s try to reduce the strain for users.
The NIST, or National Institute of Standards and Technology, is an American laboratory that often proposes new recommendations. Here are the last in date:
Obviously, these are not mandatory and in most cases, you will be asked to find either a less or more complex password. A good way to understand what is more important for the company: your experience as a user or the security of your account.
Passwords are insecure, I think that much has been proven, but it is not a bad way to log in… provided it does not stand alone against attacks.
There are several solutions that can work with passwords in order to improve their security.
领英推荐
Sometimes, the logging in process can be delegated to a third party. For users in their daily life, this translates mainly into social log in - all the buttons “Log in with Google/Facebook/GitHub” and the Single Sign-On. For companies, a trustable IAM (Identity & Account Manager) can do wonders.
These options are better because they limit the places the password is stored in.
Another very useful alternative is the MFA, or Multi Factor Authentication. MFA can take several forms, such as a text sent to your phone, the use of a third party app (like Google Authenticator), or a mail with a code. The point of such a solution is to check two things: that there is a human initiating this process, and that the person trying to connect possesses a device that is known to belong to the user. The use of tokens is also used regularly.
Unfortunately, even such security enhancements are not enough. Moreover, they are also a vector of discontent from the users, that have to juggle different devices and inboxes.
But don’t worry, the future may be bright regarding UX and security!
A passwordless world in the making
A revolution is coming in the form of the new FIDO2 technology. FIDO stands for Fast IDentity Online, it is based on standards like WebAuthN and CTAP that ensure its compatibility and security.
The idea is simple: removing password completely from the process of logging in. Instead, we will use security keys to prove our identity. These keys, mainly USB keys, will be plugged into our devices. When prompted to log in, an action will need to be accomplished: entering a PIN or touching the key for a fingerprint reading for instance. An exchange of public and private keys will allow the user to log in without having to type anything.
You may wonder if a PIN does not entail the same problems as passwords. While the two might look the same, passwords are stored on distant servers while PIN are located inside the device and are never communicated. This explains that PIN are more secure and can be used in this case. It still holds some similar drawbacks, as divulging such PIN will render the device breachable.
While the technology behind WebAuthN and FIDO2 security keys is fascinating, it is enough to understand that your “credential” is stored inside the key and is never communicated to the outside. Moreover, after the configuration step, the key does all the work, leaving the user satisfied by a clearer UX and human-independant security.
Indeed, for a user to be impersonated, hackers would need the actual FIDO2 key and the PIN for such key, or the valid fingerprint. This is much harder to obtain than just some words that can be guessed or retrieved.
The fact that the presence of a real user is checked is another strong point of passwordless technology. Indeed, you do need someone to put their actual finger on the key. This will help prevent some bruteforcing attacks.
To sum it up, going passwordless is more secured and more enjoyable for the users.
This revolution is something brought up by a lot of companies, some we know very well. Among the biggest passwordless advocates, we can find Microsoft, Apple, Google and a lot of other companies. There is actually a FIDO alliance, with representatives from Microsoft, Amazon, Intel, Thales and NTT DoCoMo.
Some of these companies are already enabling FIDO for their users, like Microsoft and its Windows Hello technology.
The transition from a password-driven to a passwordless authentication will take some time, but with such powerhouses pushing forward the adoption of such technology, we can expect to see some fast changes in the coming years.
The protection of data is one of the main issues faced by everyone, ranging from SMEs to big corporations, from military personnel to random users. The advent of passwordless technology is a very good news. The health sector is also very interested in FIDO2 as they can quite easily improve their cybersecurity. The North York General Hospital chose to work with Thales and IDENTOS in order to set up FIDO authentication.
A new market is beginning to form, as we start to see some ads for security keys. Another interesting idea would be “biometrics wearable”, like a ring or a bracelet, that could be used as a way to confirm your identity.
To conclude, it is clear that passwords are an essential part of our journey across the internet. While they were the main option for decades, they suffer from different drawbacks: they must be stored and communicated ; moreover, humans choose them, which make them weak. Coupled with other solutions like Multi Factor Authentication, passwords can still be somewhat secure.
But with the advent of new standards and of the FIDO2 technology, a passwordless world is in the making, driven by all the actors of the field trying to secure data. The upcoming months or years will reveal how much can security keys and other FIDO2 technologies be adopted in a world that is used but fed up with passwords.
In any case, be very careful with your credentials, at least until this future becomes reality.
The internet is a hostile environment
Natixis Corporate & Investment Banking
2 年Super article !
Consultant cybersécurité
2 年Bravo Noé ! :)
Associé - Customer & Partner success at Backupta, Lyvoc & Folgo
2 年Thanks Noé for this very thorough article. As discussed yesterday, the "MFA fatigue" attacks start to show the limits of standard strong factors such as mobile app push notifications. The ability to leverage biometrics or FIDO2 devices seem like a good answer although it implies expensive costs on both device purchase and day-to-day operations. Looking forward to read your next article!