Is Your Password Really Dead?

You would be surprised if you come to know that almost two decades ago in 2004, Bill Gates predicted the death of passwords during a talk at the RSA Security conference. There have been similar talks on this topic but the fact is passwords are still very much a part of our daily technology experience. The number of passwords each of us are managing just keep increasing with every signup.

Issues with Passwords

?? Passwords suffer from several problems- they can be shared, they can be stolen, they can guessed, they are difficult to remember and forgetting them can be frustrating.?

?? Effective passwords often require human efforts that many users can’t or simply won’t take the time to make.

?? The use of stolen credentials in social engineering breaches is the most common action by hackers

?? A common practice in the hackersworld is reusing account credentials curated during past data breaches. When the same email/username and password combination is used across several of personal and work accounts the hackers have it in their database already. But the issue also is why create unique passwords when you're not sure you'll remember them?

?? Organisations and websites had to come up with password policies to ensure that passwords chosen have a minimum strength but it has a huge drawback as it puts the burden of choosing a password confirming with the policy on the end users.

Passwords have served us well for a long time, but in the face of evolving cyber threats, it’s time to accept that they are past their prime and alone they can’t serve us in future.

What is Trending

·Multi factor authentication- three dimensions for authentication are- “what you know”, “what you have” and “who you are”. Password is based on “what you know”, the OTP which we get on SMS and enter it on a website/application along with password is form of two factor authentication in simplest form where SMS received on mobile is the second factor and it adds the dimension of “what you have” to “what you know”. Add face scan to this and it adds the third dimension of “who you are”.

Password Manager- A password manager is an app on your phone, or computer that stores your passwords, so you don’t need to remember so many passwords. Once you’ve logged into the password manager using a ‘master' password, it will generate and remember your passwords for all your online accounts.? However, if you forget the ‘master’ password for your password manager, you will not be able to get back into your accounts easily. In case your password manager account is compromised, they will have access to?all?the passwords

Passkeys- ?A passkey lets you sign into your accounts using the same method that unlocks your device, such as PIN or Biometrics like finger or face prints. The main advantage is these methods are phishing-resistant, because a hacker needs your actual device, not just your password, to break in and its password-less. Fast Identity Online popularly known as FIDO is a set of technology-agnostic security specifications for strong authentication developed by an alliance of Amazon, Apple, Google, Microsoft, Visa and many other large corporations. This alliance has been working on secure authentication and can be considered as the founder of passkeys. It has developed multiple specifications based on Public Key cryptography. Lets delve a little deep into this.

Depicting simplistically (in the diagram below), during a registration ceremony, an authenticator will provide a public key to an IT system that will have a corresponding private key that exists on the authenticator. The IT system or application can then issue challenges, encrypted by the public key to a user. If the user is successfully able to use their private key to decrypt the challenge, then they will be authenticated into your application.

How Long will Passwords Survive

The passwords are going to stay for some more years at-least because of the perceived convenience, and the fact that a lot needs to be done in the software world to completely move to Password-less authentication. However for all sensitive operations passwords will be complemented by multi-factor authentication, and this has already happened for most financial applications. With time as more and more services of physical world will become completely digital, Passkeys shall overtake passwords. More and more devices and software will support passkeys or possession based authentication, it will become de-facto standard and people will find it much easy to use passkeys than remembering passwords. That’s at least what I think, what do you think?

share if helpful / valuable / useful / worth reading