Passwords are one of the pillars of security and particularly of authentication. Used by the Roman guard at the time of the night shift , they are today one of the cornerstones ofdigital security.
While the technological spectrum has changed considerably since gladiator games, aside from a few recommendations on their complexity, the rules for the use of passwords have hardly changed at all.
To fully embrace the fourth industrial revolution , it is time to render to Caesar the things that are Caesar’s and to implement authentication solutions worthy of our time.
More passwords, less securityThe explosion of online services has led to a drastic increase in the number of personal and professional accounts some 191on average, according to a study conducted in 2017. As a result, the re-use of passwords from one account to another, or the creation of passwords following an easy-to-guess pattern, are common bad practices.
So how can IT managers properly secure access to a corporate network, when half of the employees authenticate with the same password they use to log into their Amazon or Gmail accounts?
It’s a difficult question, and offloading the responsibility onto users by imposing increasingly complex and heterogeneous password rules does not help. In 2016, of all compromised passwords, “123456” was used by almost one in five victims .
In response to the explosion in the number of credentials, some companies offer proxy authentication services or password safes, but these introduce single points of failure
And even when we, users, respect the rules, the companies managing our data may not , while they are themselves exposed to vulnerabilities in technologies they do not control.
In response to the explosion in the number of credentials, some companies started offering proxy authentication services orpassword safes, but these introduce single points of failure.
Safes are software, and as such they can have vulnerabilities . Cracking the safe’s master password grants access to all the credentials saved. As for proxy authentication services, the latest data breach affecting Facebook is an example of the consequences of such practices.
Gemalto estimates that over the first six months of 2018, more than 4.5 billion pieces of personal data have leaked nearly 300 per second.
In this context, is it even possible to authenticate securely?
Can we fix passwords?To sum up, on one hand, users have too many passwords to manage, while on the other, passwords leak from datacentres on a daily basis.
On the user side, targeted awareness campaigns do improve password hygiene. Password safes also offer a first response with the ability to generate complex passwords, though they rely on a master password. Furthermore, the global impact of awareness campaigns remains limited, while password safes are far from popular among non-experts.
To avoid the risk of interception or password leaks, one solution is to perform the authentication on the user side. Fast Identity Online ( FIDO ) is an alliance of companies united around this concept; today, more than 1.5 billion users can authenticate without any password ever being transmitted out of their computer. A physical device owned by the user manages the authentication process and indicates to compatible online services that these users are indeed who they claim to be.
FIDO offers a solution that eliminates the need to remember each of our passwords. However, most implementations still work with a PIN. And as in the case of credit cards, a PIN can be stolen, even if the probability remains low.
Can we then envision a future in which we’ll authenticate without having to remember anything? Can we live without passwords?
Multifactor authenticationLiving without passwords, or any other type of information to remember, is possible today. Doing so in a sufficiently secure manner, however, requires the implementation of the most fundamental principle of modern security: defence in depth
Invented in the 17th century by a French military engineer named Vauban, this principle has protected stone castles, nuclear plants and computer networks. In terms of authentication, the implementation of this principle relies on three types of factors:
Type 1: Something we know, such as a password or PIN. Type 2: Something we have, such as a door key or a blue card. Type 3: Something we are, such as fingerprints or DNA.Nowadays, an authentication mechanism is considered safe enough for public use if it relies on at least two factors from two distinct categories. The combination of a password and a temporary code sent by SMS is probably the best-known example.
However, while it is true that circumventing such a mechanism is not simple, it is essential for each factor to be secure “enough”. Codes sent by SMS are not secure because mobile phones can be spoofed , and badly chosen passwords are no good either, as discussed above.
Adding a Type 3 factor could prove to be a solution, and it is indeed the case in highly secure environments, but too cumbersome for the general public.
So, can we live without passwords, without compromising on security?
#Passw0rdsNoMoreA combination of Type 2 and Type 3 factors offers an authentication solution requiring no memorisation effort.
A concrete example of such a solution would be a FIDO-compatible digital key with an embedded biometric sensor. Such a device has just been put on the market.
Solutions therefore exist, but widespread adoption will not happen overnight.