Why Big Tech Is Striving for the World without Password
The password is undoubtedly everywhere. It was recorded that an office worker in the US must keep track of 20 to 40 different usernames and passwords combinations. With so many passwords to remember, they tend to keep them somewhere in our computers, phones, notebooks. Some prefer to use the same password for all accounts; thus, it could save their time and they won’t be able to forget.
Both ways propose an expensive and serious risk to data breaches. Since passwords are so easy to guess, a computer can easily crack an 8-character password in less than a second. This implies that the password is no longer a trustworthy means to protect the data. Thus, the leaders in the world like Google, Apple, or Microsoft are trying to reduce our dependence on passwords, and hope to create a future without it.
What Is Wrong with Password?
Reusing passwords is not uncommon for busy people. They believe that their password is so tricky that they can again use it for the other 10 different accounts. But the fact is the password is also so easy to be hacked, all the hackers need to hack an account in a few minutes is your ID or your username. Thus, if you use one password for 10 accounts, those accounts are on the edge of getting hacked at the same time.
We are living in a world of social media, where we share everything on Facebook, Instagram, Twitter, etc. But the problem is we share too much, we share names, families, favorite food, animals, even locations. These can be taken advantage of by the hackers if the same names or places appear in your passwords.
Hacking is much easier than most people think, there is even a site with the purpose of revealing the user’s data. It is called “we leak info.com”, where you just put in the email address of yourself or a friend, then it can reveal your password in a few seconds. With the quick search on Google: “we leak info” and users can get access to more than 10,000 data breaches for as low as $2 and it is not even the only website to offer the services.
Understandably, password is not fit in purpose for today’s networked economy. Most of the data breaches are caused by passwords. In a report about data breaches in 2013, it found that 29% of those breaches include the utilization of stolen credentials. In another study, researchers found that the average cost of a data breach in the U. S. was more than $8,000,000 and even when passwords are not stolen companies can lose a lot of money resetting them.
Microsoft executive told CNN in 2018 the company spends more than $2,000,000 each month in help desk calls helping people to change their passwords. With the details of our personal and professional lives increasingly residing in the digital realm, those costs are likely to grow.
The history of password
As we discussed, there are several risks in using passwords as the way to protect our data and data breaches due to password hacking have caused so much money as well. All these troubles dated back to the early 19 sixties at M. I. T, this was the time when password was created. At that time, computers were the large devices, but they can only manage the work of one person at a time.
With the hope to get rid of this limitation, Fernando Corbató invented the computer time-sharing system (CTSS), which was an operating system allowing many users to get access to the computers at once. Undoubtedly, this led to privacy problems, so Corbató created the first passwords with the aim that each person would have his own private set of files.
The first computer in the world was also the first one to be hacked. One of the researchers found that the weekly 4 hours per week were not enough for him to complete his work. Thus, he printed out all the passwords stored on the system and use them to log in as his colleagues.
The passwords back to the old days were already not secure, and it keeps on being the riskiest form of authenticity today.
Types of Authentication Forms
Authentication has come beyond just entering the password. The users can log in to their device with their fingerprint or face recognition.
In fact, there are 3 types of authentication. The first one that we know today is the password, the second one is what we possess which is like a smart card, token and the last one is our biometric such as fingerprint, face.
The password alone is the highest risk way of authenticating and that leads to fishing, data breaches, and other serious cybercrimes. Thus, any forms of 2-factor authentication are better than passwords alone.
One example of 2-factor authentication is when you withdraw money from the ATM. When you insert your card, it is something that you possess, and when you enter the PIN, it’s something that you know. This is considered an inconvenient way, but it provides more security compared to just passwords alone. However, the hackers can still hack your account even though they do not have your card and know your password.
And the world also evolves with other innovations to prevent this. The biometric authenticity including fingerprint readers and face-scanning cameras is the newest form and the most reliable one nowadays. While assistants like Siri Alexa and Google assistants have advanced voice recognition technologies as a way to protect their user’s privacy.
Leaders in a Passwordless Revolution
Not so many people notice that the smartphone industry is taking the initiative in coming closer to the passwordless future. When we unlock the phone whether, with Face ID or Touch ID on iPhone or any other brands, we are utilizing the technology which is more secure compared to entering the password traditionally. These smartphone leaders encourage us to use biometrics due to its convenience, but, in reality, they are quietly helping us to secure our private information better.
In the past, using biometrics as the secure method was expensive and offered low quality, besides the users also found it awkward and hard to use. However, leaders like Apple didn’t stop their ambition in providing better security for the users. Over the past 10 years, Apple and other smartphone manufacturers have tried to embed this technology into their device and encourage the users for the sake of convenience.
Thanks to the development of technology, the new and improved sensors are no longer expensive and available everywhere, which contributes to the fact that biometrics becomes more popular than before. This evolution in sensors is so successful that if those sensors are paired with the right software, they become so user-friendly and transparent. As a result, more customers do not consider twice about biometrics since it is unavoidably necessary for their security purpose.
The Lead of the FIDO Alliance to the Passwordless Future
FIDO alliance- an open industry association has been the means of driving passwordless authentication. Their mission is to push “authentication standards to assist reducing the world’s over-reliance on passwords”. Thus, their purpose is to provide the improved authentication with open standards with the aim of more security than using the passwords, better simplicity for both the users and providers to embed and manage.
Currently, with the help of its member working in the field of identity, security, and biometrics, FIDO has developed and advanced in open and free standards. This leads to the fact that passwordless authentication has been taken to the next level, so it could be more easily adopted.
In 2018, WebAuthN specification invented by W3C was adopted by FIDO as part of its FIDO2 standard. This offers an application programming interface (API) that could be easily carried out on any websites or services. Moreover, this API can also communicate directly to a browser like Google Chrome, Microsoft Edge, or Apple Safari to initiate FIDO-based authentication, which democratized passwordless authentication in a significant way.
Also, these specifications are designed in a way that could help delegate authentication to endpoints like mobile phones or computers. Besides, they can work in a multi-environment, which means that one user can authenticate by facial recognition, another by code, and another with a thumbprint.
FIDO was established in 2013, yet it has created an impact and spared a foothold among the leaders. The fact is that Apple just took part in FIDO recently and holds a seat on board. Other technology leaders that are members of FIDO could be listed: Amazon, ARM, Facebook, Google, Intel, Microsoft, Mastercard, PayPal, Samsung, Visa, and VMware. While Apple MacBook with touch ID feature, has integrated FIDO, then Samsung has already shipped devices where the biometric sensor is FIDO-enabled. With the help of FIDO and WebAuthN, finally, the application owners can say goodbye to password completely.
How the FIDO alliance differentiates its distributed approach from a centralized approach
In the past, the information of the users such as thumbprint, face, voice would be sent to a server, processed, and then stored as minutiae points. Thus, when they present their iris or thumbprint to gain access to the device, the information would be sent to the server again to check if there is a match and then give the users access. The advantage of this method is that the minutiae points only have meaning to the biometric system, which means that the cybercriminals cannot steal the minutiae points and recreate the thumbprint or iris. However, the bad side of this method is that most people do not prefer their biometrics to be stored on the centralized server.
On the other hand, FIDO and WebAuthN work by decoupling someone’s biometric information for authentication from the app that the users want to access. Then, the concept “authenticators” that can roam is introduced by WebAuthN. Roaming here means that those authenticators can move between computers by using USB, near-field communication (NFC), or Bluetooth or between platforms since they are integrated into the operating system. Authentication has never been so easy than now, the users can prove their presence only by touching USB fob or native biometrics, such as a fingerprint.
With this new technology, the users are equipped with a unique cryptographic key pair. This is the private key that is securely protected within the authenticator, another key called public key will be sent to the service. During the authentication, if there is any challenge occurring, then only a signed response using the correct private key will activate authentication.
Generally, FIDO and WebAuthN are used in conjunction with a secure element, so that the cryptographic keys can be generated and stored there. The biometric unlocks the key that is sent to the server. This method has high security since each service owns a unique key pair, thus if the hackers have the intention to hack, they not only need to attack every single device but they also need to identify and compromise each key.
The Challenges of Building the World without Passwords
The first one is the technical problem. In order to bring the technology of FIDO and other tech leaders, the technical issue should be addressed. It should not only be easy, convenient but also free and standard.
The second challenge belongs to the behavior of the users. The reason why most people still prefer password over other methods is that the password can be easily used by anyone, there are no limitations, no hardware requirements. Even when the new technology is available for them, some might still use passwords instead due to their familiarity with entering passwords to authenticate something.
The fact is FIDO technology could become simpler, more convenient, and most importantly, it offers the highest security for the user’s private information. Thus, it is believed that users will gradually embrace technology and ditch their old habit of using passwords. However, the journey to that day with no password is still so long, which also means that the risk of breaches of the consumer side will persist for the foreseeable future.
This article is also credited to the authors: Robert McMillan and Ben Goodman