Concise coverage of the alliances and technologies that is taking us closer to a world without passwords.

Topics

• Problem with passwords
• Cost to Companies
• Types of Authentication
• Multi-Step Authentication
• Multi-Factor Authentication
• Advances in Bio-metrics
• FIDO Alliance
• WebAthn Protocol

Problem with Passwords

Although they keep our assets safe from malicious users, there are few fundamental problems with the system of passwords.

So many to Remember

Literally every device or web account we access requires us to authenticate ourselves with the help of passwords. At the end of the day, we are left with so many to remember.

A recent study showed an average IT person has to remember between 20–40 passwords at any given point in time.

Security Risk

To avoid remembering so many passwords, many users start to use the same passwords over and over, at multiple places. One password breach will lay open all their digital assets.

Alternatively, they keep a written note of their passwords somewhere on their phones, computers or notebooks, most likely, in a single place. If someone get hold of that one piece of paper or one digital file, the user’s assets are out in the open again.

Hacker’s Paradise

All internet account passwords are stored on central servers. This lures all high profile hackers to make attempts to crack it.

Sadly, some of them do manage to succeed, and when this happens your password gets sold to sites like dehashed where someone can buy it for as low as 5 to 10 dollars.

Yes, your hacked passwords are being sold on the Web for virtually a penny.

Short Passwords are not secure

Listen to what Edward Snowden has to say about passwords to John Oliver.

Cost to Company

Passwords are a huge liability to companies for several reasons.

Primary Source for Data Breaches

The vast majority of data breaches in companies are caused by passwords. Turns out, Stolen passwords are one of the simplest and most common causes of data breaches.

As per this report, as high as 29% breaches are caused by stolen passwords. An independent research shows, the average cost to the company of each stolen password in the US is as high as 8 million dollars.

Deal with Password related issues

Password related issues do need attention, time and manpower. In large organizations, the cost can add up substantially. IT admin teams are forced to spend a certain proportion of their man-hours to resolve queries related to forgotten passwords, and other login issues.

Types of Authentication

There are three main types of authentication.

1. Something you know: Like password, pin or security questions, etc
2. Something you possess: Mobile phone, Debit Card, USB stick, etc
3. Something you are: Fingerprint, Face Recognition, Retina, etc

Multi-Step Authentication

In a multi-step authentication, there are multiple (two or more) steps involved. However, the steps use the same type of authentication.

For example, using two steps in which you provide two different passwords to get authenticated to a device, or using two bio-metric forms of authentication, such as retina scan and fingerprint to get authenticated to a system.

Multi-Factor Authentication

Multi-factor authentication (MFA) refers to using multiple forms of authentication, such as a password and a retina scan.

There are two distinct factors that are used for authentication. If the hacker steals your password, a totally different form of authentication (retina scan) is still required to gain access.

Two-factor authentication is the most widely adopted mean of authentication worldwide.

We do it all the time, like while withdrawing money from an ATM, we enter our card (something we posses), and we enter our pin (something we know). Similarly, during online payment, we enter our pin (something we know), and then we enter an OTP which we receive on our mobile phone (something we possess).

Advances in Bio-metrics

Bio-metrics has grown leaps and bounds in the last few years. The technology has proven to be extremely reliable, and hence it is now making strong inroads into the consumer market.

It brings massive advantages because your fingerprints, retina, face, etc will always be with you. Unlike passwords, you don’t have to memorize anything. There is very little risk of someone spoofing it unless you have a twin sibling :P

We have started using Bio-metrics in many places, like login to our smartphones and offices using fingerprints.

“Windows Hello” is Microsoft’s ambitious project dedicated to authentication using Bio-metrics with “You are the Password” pitch.

Satya Nadella heavily promoted this feature in this “Future Unleashed” event. Watch a small sub-clip from this video (from 13:50 to 14:25) where he mentions Windows hello.

Digital assistants like ‘Alexa’, ‘Google Assistant’ are mastering the voice biometrics to identify their users, and have recently started assisting them in banking.

FIDO Alliance

There have been many movements to promote 2-factor authentication. One movement that stands out is the FIDO alliance because it is backed by the world’s all major Tech companies.

FIDO stands for Fast Authentication Online, and it is a consortium of more than 250 giant tech companies all dedicated to one purpose (password-less authentication). Apple as recently as this February joins the group.

Main pitch

Its main propaganda is to promote 2-factor authentication without the use of passwords. Think for a second, all the 2-factor authentication we’ve used so far have “something we know” component like pin or passwords.

This organization is promoting the other two types (something we possess, and something we are) as the preferred way to perform two-factor authentication.

Prototype

This is how a FIDO enabled device will look like,

FIDO calls them “security keys”. This little piece of hardware is all you need to authenticate into your devices. You got to insert this device into your computer or any electronic accessory and put your fingerprint on the top surface to let you pass in.

Two-factor authentication is achieved using the device (what you possess) and fingerprint (what you are), avoiding the need for passwords.

No Central Server

If your password is hacked or compromised, you can always reset it. But if your bio-metric is hacked, well, you can’t change it unless you plan to do plastic surgery :P.

To eliminate this risk, FIDO recommends authentication data to be stored on the device rather than on the central server. So, the bio-metric information needed to authenticate the user will be stored somewhere locally.

No Central Servers mean hackers don’t have one single “paradise” place to hack the entire organization. It will enhance the security multi-fold, and protect your privacy.

WebAuthn Protocol

Up until this point, we’ve talked about login to your physical devices (computers and smartphones), making them password-less using FIDO guidelines.

But what about hundreds of Websites we visit? Almost all of our web accounts do require a password to authenticate ourselves. How do we get rid of them?

WebAthn protocol is built to let you use FIDO recommended 2-factor authentication method for the Web. This means to access a website, all you need to do is insert your “security key hardware” in your computer, and provide fingerprint on its top surface.

All major Web browsers already support this protocol. In fact, if you already have a security key hardware, you can demo it live on this website.

Footnotes

1. The first computer to use a password was at MIT in the 1960s. Ironically, it was also the first computer to be hacked.
2. National Institute of Standards and Technology (NIST) defines standards for passwords. In the document released in 2004, it suggests having a password of a minimum of 8 characters with at least one upper case letter, one lower case letter, one number and one special character in it, and should be changed regularly.
3. In 2017, NIST rewrote the password rules. It now says to use long, easy to remember phrases instead of crazy characters, and it suggests changing the password only if it is hacked.
4. An image estimating how long will it take to crack was password was recently circulated. Check it out.

Digital footprints

LinkedIn, Twitter, Medium