The old security paradigms do not apply to the current age of digital innovation and development. Passwords are a huge part of this old paradigm and are directly responsible for over 80 per cent of all hacking-related breaches (according to Verizon’s annual data breach report). Hackers are actually having a field day going after passwords stored on servers or intercepting them in transit.
Technology companies and cybersecurity experts identified this glaring flaw of passwords a while back, and they have been pushing for passwordless sign-ins for a long time, with limited success. Things are finally changing in 2022.
Why Are Passwords Bad for Security?
To secure access online, humans have always relied on passwords. But passwords require creation and storage, which translates to two significant issues:
1.Users have to set strong passwords and remember them
2.Companies have to securely store them
Now, the problem with setting strong passwords is that they are hard to remember. So, you write them down somewhere or end up using the same password for multiple accounts. In a famous interview, Edward Snowden broke it down the best. He said it could take less than a second to deduce a common eight-character password.
“Maintaining different passwords across applications is indeed a modern-day problem which leads to users keeping the same passwords across different applications. This leads to data theft issues”, says Madhu Malhotra, Chief Technology Officer, Edelweiss General Insurance.
You might think that your password is secure since it’s over eight characters and complex in nature. But the truth is that hackers target servers all the time and acquire even the most complex of passwords stored in them. And you are always susceptible to forgetting passwords once you stop using a particular account for some time. This could send you on a witch hunt to retrieve passwords or down the “forgot password” rabbit hole.
“Passwords have been a huge friction in CX (Customer experience) for years and has caused significant business transaction abort – simply because users have forgotten the password. Move to passwordless is becoming a de facto standard, as more and more devices and applications are fast adopting it”, affirms Sathish N, Chief Product Officer, Zaggle.
In simple terms: passwords are hard for us to remember and easy for hackers to guess or access. Getting rid of them can secure personal and business data worldwide. The world’s biggest companies, including Apple, Google, and Microsoft, know this, and they are now expanding their support to passwordless sign-ins to cut the cybersecurity risks around passwords.
Passwordless – The Solution
In the tech circles, password-only authentication has long been talked about as one of the biggest security threats online. Password managers and two-factor authentication have helped in some ways to mitigate the threats over the years, but now there is an industry-wide collaboration that’s looking to create sign-in technology that’s easier to use and secure.
FIDO, an open industry association, solely created to rid the world of its over-reliance on passwords, has done a lot of work to push the envelope of passwordless sign-ins. In fact, the world’s greatest companies, including Apple, Google, Microsoft, Meta, Lenovo, Samsung, Visa, and more, are working together as FIDO members to make passwords a thing of the past.
“Interestingly, End of Passwords features among the 10 breakthrough technologies of 2022 in MIT technology review. FIDO alliance has been extensively working to reduce reliance on passwords backed by leading technology players”, shares Sathish N, Chief Product Officer, Zaggle.
We got a glimpse of what is to come in the passwordless world during the Apple WWDC 2022 keynote when Darin Adler (VP, Internet Technologies at Apple) presented the segment on ‘passkeys’. Describing it as the future in the password-free world, he spoke about this new way of authentication that uses powerful cryptography to keep accounts safe.
Users will be able to create passkeys on Apple devices through Touch ID or Face ID to authenticate. When this passkey is made, a unique digital key is created for a particular website or app. This digital key can be used to access your account online through biometrics or Face ID in a single click, which removes the possibility of phishing attacks as hackers cannot fool you into sharing them on fake websites. The digital key never leaves your device, ensuring end-to-end encryption.
But what if you wanted to access an app or website on your friend’s PC? For this, you would have to simply enter your username on the website/app, and then you will be asked to scan the QR code through your iPhone, and you will be let in. Since you did not have to enter a password that was stored on a server, there is no chance of interception or sourcing your password by hacking a server.
Passkeys are a direct result of many leading companies working together with FIDO to usher in a passwordless future. Apple is the first to implement it on its devices, and its users will soon be privy to passkeys as soon as iOS16 and macOS Ventura make their way to iPhones and Macs. But passkeys will soon become a standard as more companies introduce this concept to their own devices, rendering passwords defunct soon.
Passwordless sign-in has also begun to take off in India as companies are exploring ways to make the customer experience seamless and secure. “We recognize the significance of this new ‘passwordless sign-in’ approach being adopted. This user-friendly approach will provide users with simple and superfast sign-ins. There will be no need to remember multiple passwords for multiple accounts,” says Manish Rathi, Co-founder and CEO, IntrCity.
Pitching in on alternative ways of a pursuing a passwordless future, Madhu Malhotra, Chief Technology Officer, Edelweiss General Insurance, opines, “As the industry looks to secure and standardise the way user logins and registrations are done through single sign-on platforms, it might even be a good idea to emulate the way telecom networks are doing it – an auto sign-in process, where users and devices are equally authenticated without any manual inputs from the users themselves”.
“This authentication is secured through encryptions, authentication algorithms and is standardised. Here both the user and the network service provider work seamlessly together to authenticate and register the users while preventing phishing frauds”, she adds.
Password alternatives or passkeys, industry and experts across the board are all for a passwordless future and the benefits that it will bring. Considering Apple’s major push for it this year, it is highly likely that other major platforms will soon transition to FIDO-based passwordless systems for sign-ins.