Over the years, attempts have been made to replace it passwords by other authentication methods that are simpler, not necessarily more secure depending on the case. Here we find large corporations such as Google, Apple and Microsoft, which are trying to replace passwords with fingerprints, faces, irises, blood vessels in the hand, USB keys and now also access keys. However, the transition has been relatively slow, so passwords are still widely used today, although they are gradually losing ground.

In recent years, we’ve seen technologies like Windows Hello, Face ID, and Touch ID marketed as more secure means than traditional passwords, but the reality is that many (including this server) believe they only provide convenience unless enforced by at least one other authentication method .

Biometric authentication methods can be secure… if you harden them

When finger printRetrieving it is as simple as stealing a smartphone and starting an investigation because the user left their passcode printed on the same device. Use as an authentication method the fact that you leave everywhere Not exactly the smartest idea.

The face is not so easy to get, but these days there are even cheap smartphones capable of taking very high quality photos, so one should always avoid the cameras to avoid replicating them in any way. Here we leave the video platforms in the inkwell, which, if they show their faces, are another source of information for malicious actors. A similar situation is around the iris, which can also be replicated from images, which is not the case with the retina if one gets it wrong.

The situation of the blood vessels of the hand is a little better as a means of biometric authentication. Although not perfect, the replication requires such powerful means that the user would have to be kidnapped to get all the necessary data under pressure, because starting with material obtained from social networks and video platforms, it is impossible to replicate a part of the hand. it’s not in sight.

They have much better keys in hardware format. For example, the YubiKey 5 NFC key is compatible with all majors encryption algorithms, including RSA 4096, ECC p256, and ECC p384, plus support for Windows, macOS, Linux, Android, and iOS, so it offers powerful cross-platform support. Keys are responsible for providing secure and resilient authentication against the dreaded phishing attacks. While it is true that web browsers try to help detect phishing, they are not always successful and it is better to think that malicious actors are always two steps ahead.

And lately they have been revealing access keys or passwordswhich are actually different schemes for storing authentication information in hardware. They should be easy to use and resistant to phishing and other similar methods of stealing user accounts.. Based on FIDO Alliance and W3C standards, they replace typical passwords with cryptographic pairing keys, improving security while speeding up authentication. For example, in the Apple ecosystem, they can be used together with Face ID or Touch ID (which is why we mention the combination of authentication methods with other methods) to ensure secure access without a password.

As we can see, new authentication methods combine really questionable solutions with others that offer a competent framework. This will probably end up being confusing for a very basic user who may end up putting them all in the same circle. In these situations, it is logical to take the lowest rung, so the global perception of the group would point more towards the negative.

Slogans are losing ground, but they are still resisting

The lack of knowledge and the complex situation surrounding modern authentication methods may be the reasons why passwords remain the main way of accessing systems and services. The proliferation of passwords is something that was reflected by the FIDO Alliance after a survey of 10,000 consumers from the United Kingdom, France, Germany, the United States, Singapore, Japan, South Korea, India and China.

Delve into survey data, 51% of users have logged into their online bank using a password in the last 60 days, while 28% used a one-time password (OTP) sent to a mobile device and 14% used a password manager. Other methods were Microsoft and Google authentication apps, keys like YubyKey and Google Titan, QR codes, browser autofill, and staying logged in.

Despite the fact that passwords clearly dominate the others, the reality shows quite a diverse landscape, with password use down 5% for financial services, 7% for work-related accounts, 8% for social networks and 9% for smart homes devices (“smart” home devices are another candy for malicious actors).

The FIDO Alliance insists on the dangers of passwords, saying that “e.g. 70% of people had to reset their password at least once in a given month“. It is perhaps important to highlight here how this affects retailers and service providers as 59% of users have given up accessing any online service in a given month and 43% stopped shopping because they couldn’t remember their password.

One-time passwords using sound as a good thing, but the reality is that it depends on how it is used. If you want to be secure, it’s up to you to support this method in your application, but SMS is still widely used today, which for many years was considered an insecure medium due to the possibilities it offers to be manipulated from many fronts, including the phone service provider. One-time passwords sent via SMS are still used in financial services, workplace accounts, social networks, video platforms and more.

The results of the survey are not the best from the point of view of the FIDO Alliance, but among so much “darkness” it is possible to find out that 39% of respondents were very or somewhat familiar with the idea of ​​access keyswhich, as we’ve already said, aim to offer a much more secure and simpler method of authentication than passwords.

A future without passwords is possible, but not so fast

As we can see, passwords are still the most used authentication method, but if the current trend continues, they will soon fall below 50%.

Although some modern authentication methods have obvious advantages over passwords, their problem may be that they have coexisted with other systems that are funny, which can make it difficult for them to convince those who are still stuck on passwords as the only method. .

Cover image: Unsplash