Why do we still have to live with passwords?
Many modern security solutions have appeared, but passwords are still the most commonly used data protection method.
After years of existence, passwords have shown irreparable weaknesses. Having to memorize each character causes many people to use the same password for multiple sites, choose passwords that are easy to guess, or both. That creates an opportunity for hackers to break into accounts and steal data.
Over the years, many more secure and convenient security solutions than passwords have appeared, including face or fingerprint scanning on smartphones or laptops. Biometric data is stored and secured on the device, not the website's server. Some devices like the Yubikey allow authentication by plugging into a USB port on the computer.
The above solutions were born with the purpose of erasing passwords. However, completely eliminating the decades-old security method is not easy.
The reason the password has not been erased
"The evolution (of security technologies) has been enough to transition from nascent to mass adoption. They have a strong support base, are compatible with many popular systems, and are familiar with In the past, we didn't even know how to get rid of the password. While it might take time, now everyone knows what to do," said Mark Risher, Managing Director of Security Platform and Google identity said.
At the end of June, Microsoft introduced Windows 11 with deep integration of passwordless sign-in solutions, using PIN or biometrics. Earlier, Apple said that iOS 15 and macOS 12 operating systems will add a Passkeys option in iCloud Keychain, towards using biometrics and PINs to log in to more websites. Google also shared how to manage passwords securely and plans to get rid of them.
Despite the efforts of technology companies, there are two challenges that make passwords not easy to disappear. First, despite their poor security, passwords are still widely used. In other words, it's not easy to give up a habit formed over decades.
"A behavior learned over a long period of time: the first is to set a password. Dependence on poor security is the main problem. Our goal is to break that dependency", Andrew Shikiar, CEO of FIDO Alliance, the association of authentication standards that replace shared passwords.
However, it is a difficult journey. FIDO's testing shows that organizations that don't use passwords have a hard time attracting users. Since then, FIDO has developed a framework to guide the user experience when removing passwords.
The second challenge is more complicated. Even if accepted by users, most passwordless solutions only work on new devices, requiring a smartphone and at least one other technology device. In fact, many people use a device regularly without upgrading for a long time, even using a basic phone.
While passwordless standards are increasingly mature to work seamlessly with each other, backup options for restore do not. Some systems require answering a security question or entering a PIN for backup, which is actually a password but in a different form. The solution is to use the previously authenticated device to confirm the new device is trusted.
"Let's say you leave your phone in a taxi but have a laptop at home. You buy a new phone and use the laptop itself to activate it. If someone picks up the old phone, the information inside is still protected." said.
The above backup method is much easier than remembering/writing the PIN code, the security answer on paper. However, not everyone has multiple devices to use this method.
We still live with the password
To live with passwords while remaining secure, many people choose password management tools like 1Password. However, the app itself already supports biometrics to authenticate users before autofilling passwords on websites.
Of course, biometric security also carries risks. Akshay Bhargava, Product Manager of 1Password, believes that a user's fingerprint or facial data can be stolen by bad guys and used to impersonate the victim. While the user can change the password, face, finger or voice cannot.
It will take more time and more experimentation to perfect the passwordless ecosystem, especially in terms of synchronism and universality. Security is also a concern because when you save too much sensitive information on your phone, hackers will be more motivated to break into them.
To use secure passwords before adopting a new solution, Wired recommends that users set strong and non-repeating passwords, use password management services, and experiment with biometric solutions where possible.