Digitizing Technology Security: Future without password

Passwords used to be important, but are no longer secure and companies like Apple and Microsoft want to get rid of them completely.

A password is a string of characters used to confirm a user's identity. In the digital age, this is indispensable for logging software or computer networks. Recently, passwords have evolved to a higher level, such as authentication by fingerprint, iris, face ... but the most popular is multi-factor authentication.

Future users may no longer encounter password barriers. Photo: WSJ

However, either way, passwords are still considered the biggest weakness in a link of the security system. A series of password hacks took place, performed even with hackers who did not need to be too tech-savvy. According to cybersecurity firm Group-IB, this summer alone, more than 130 organizations were visited by hackers, causing damage to millions of users.

Humans - the biggest weakness

Passwords are said to be no longer secure as they get longer and harder to remember. Users must use their own managers, and these are not as secure as advertised.

The use of passwords is also related to the human factor. As a result, Google, Amazon, Nvidia, and hundreds of other major technology companies identified this as the biggest security hole, and then adopted the strategy of trusting no one .

"No matter how secure, the system can still be hacked if it is controlled by a human," said Ofer Maor, chief technology officer and co-founder of cybersecurity incident response company Mitiga. "Over the past few months, attacks have been increasingly reported, especially in the form of two-factor authentication attacks. No matter how large or small the company, all fall into the same barrage of attacks and pressured".

For example, in the recent Uber hack, a system administrator from a contractor hired by Uber was fed up with spam messages asking for authorization to log in to an account. He then subconsciously clicked accept, causing the system to be compromised.

Future without password

According to experts, with a passwordless system, things are different. In this case, the credentials are transmitted from the digital device to the Internet, which cannot be read by humans. All communications are encrypted, the user's identity is verified when a device, like a smartphone, sends a one-time authentication code that only the phone can generate. In this way, the smartphone becomes the password.

With the use of digital devices as the authentication method, security also increases, because stealing phones and logging in are more difficult, especially when they are protected by biometrics such as face or fingerprint. This is also one of the reasons biometric sensors are appearing more on laptops, PCs and many other types of devices.

"Such a system would not face the possibility of phishing attacks because it completely removes the weakest link, the human, from the login process," said Andrew Shikiar, head of the Coalition for Confirmation. real world online FIDO Alliance, said. This alliance has been operating for more than 10 years, with many members being famous companies such as Apple, Google and Microsoft.

In mid-May, Apple, Google and Microsoft made a joint announcement regarding passwordless logins. This is a standard created by the FIDO Alliance and the World Wide Web Consortium. Accordingly, each device has a unique identification code issued by FIDO to be used to log into different websites and applications without a password. Apple, Google, and Microsoft have supported this standard on their platforms by allowing users to access accounts using biometric authentication methods.

Device-based authentication for non-new passwords. For more than a decade, some companies have particularly secure systems that often require administrators to plug in a dedicated USB stick containing the unlock code. The system will not connect to corporate or government networks without them. However, according to a report from Hypr as of mid-2022, only 16% offer employees the option of passwordless login.

According to Todd McKinnon, CEO of Okta, passwords are still used because the convenience and technology of high-level security have not been paid enough attention. However, the ubiquity of biometric sensors in digital devices today makes it possible to implement passwordless security.

"Ten years ago, you didn't have Touch ID, Face ID or Windows Hello. But now they can support logging into the system easily," McKinnon said.

According to Shikiar, device-based authentication is taking a giant leap forward and is more secure than today's password-based systems. However, depending on how secure an organization wants to make its systems, this process should only be the first step towards disabling threats, the following steps still require a password. to authenticate.

Besides the advantages, a system without a password can cause many inconveniences. For example, how to recover a lost password if the administrator is only given an unlocked device without knowing how to recover it. If the recovery process is too difficult, the employee may be locked out of his or her account and unable to do his or her job.

On the other hand, if the account recovery process is too easy, the system is at risk of being compromised. "For many companies, you have to call the help desk and identify yourself as the person," Weinert says. "This opens the door for attackers to get around by persuading someone at a higher level to register a client device on a corporate system without stealing credentials."

Maor believes that passwordless login systems will be the next security trend. However, he assessed it needs to be strictly adhered to the requirements when operating. "I've been working in security for 30 years. The reality is that with most solutions, the balance between safety and convenience leaves a hole where hackers can still get in," Maor said. said more.