Could 2023 be the last year for traditional passwords?
As the threat of data breaches and identity theft continues to grow, it is more important than ever to ensure that your passwords are secure and unique. Unfortunately, passwords are hard to remember and even harder to manage. Not to mention, they are vulnerable to multiple forms of security flaws like brute-force attacks, social engineering, phishing, or getting stolen through data breaches as we reported last week in the Deezer's data breach, making them an unreliable form of authentication. That's why it's time to move beyond passwords and look at other alternatives that can overcome these flaws, something that will hopefully be more widely adopted throughout 2023.
You've probably heard of The FIDO Alliance (Fast IDentity Online) at some point, a non-profit organization founded in 2013 with more than 250 members including Google, Microsoft, PayPal and manufacturers of security keys such as Yubico, among many others. Their goals are basically to develop and promote the use of open standards for Passwordless Authentication, a Multi-Factor Authentication (MFA). FIDO standards include the UAF (Universal Authenticator Protocol) and the U2F (Universal Second Factor) protocols, which basically include the use of fingerprints, voice recognition, biometric authentication, magic links, etc., or physical security tokens that generate unique security codes that are very difficult to intercept.
According to the FIDO Alliance, the operation of a passwordless system bases its operation on the use of asymmetric cryptography or public key similar to that used in the digital signature. The user has two keys, one public and one private, which will be used to authenticate with the service. The private key will be securely stored on the device along with various identifiers necessary to know which service it belongs to. The private key will only be accessible if you are in possession of the security mechanism chosen in the registration process, which can be a PIN code, biometrics such as fingerprint, facial recognition, physical token, or another of those mentioned in the previous paragraph. The public key will be sent to the server and linked to the user's account. Access to the service will be made using the private key generated in the registration process. The user indicates that he wants to authenticate himself in the service, for this the server sends randomly generated data. Once these data are received, the user must enter the chosen security system to access their private key "fingerprint, face, PIN, etc." and sign them with it. Once signed, they are sent to the server that verifies that the signature is correct, allowing the user to access the system, all thanks to the public key stored in the registration process.
Among the clearest and most obvious benefits of these verification methods, we find:
- Passwords will no longer be the only way to access systems, using a more secure option such as the public and private key system.
- The main methods used by cybercriminals, such as phishing, brute force attacks or against weak passwords, will stop working.
- To fraudulently access a system, cybercriminals must be in possession of the device, since the private key is on it, and the method chosen to unlock it. This makes fraudulent access to the system extremely difficult.
- Users will not have to remember complex passwords since using biometric methods they will be able to access their private key and therefore their account.
- The workflow will be much more agile, since on many occasions users will not have to enter any data. Only with something they have, such as their fingerprint, will they be able to access the system.
- Although its use may be similar in terms of security to the well-known double authentication factor, passwordless will allow a simpler, more efficient and secure management of the systems that implement it.
As you probably know, saying goodbye to passwords is not something new, and many users are already getting familiar with this paradigm. Currently, most mobile devices have components that allow their unlocking through biometrics such as fingerprint or facial recognition, offering a more fluid user experience. In addition, the existence of new standards, such as FIDO2 and Passkeys, are making it possible to integrate passwordless into multiple environments and devices, as Google has already done with Android or Microsoft since Windows 10. In addition, we have been seeing many well-known password manager services such as LastPass, 1Password, NordPass or Bitwarden, offering passwordless solutions for their users to migrate to these authentication methods and say goodbye once and for all to traditional passwords. Hopefully, we can say that 2023 will be the year that the passwordless era truly begins.