It’s World Password Day on 2 May, but even the good folks who organise it recognise that there’s a problem. Their #LayerUp pledge encourages people to add an extra layer of security to their logins by enabling multi-factor authentication. So if we can’t rely on passwords alone to keep us safe online, why are we still using them?
The problems with passwords
We’re all familiar with the supposed rules for good password practice. But most of us slip into bad habits.
Perhaps one reason guidance is so hard to follow is because it’s inconsistent. Many authorities recommend changing passwords every 90 days or so. Similarly, we're often forced to include certain combinations of letters, numbers, and special characters in our passwords to meet complexity requirements, but the UK National Cyber Security Centre doesn't recommend either of these methods in its current password guidance documentation.
The cost of password maintenance
Aside from the personal effort of maintaining dozens of secure passwords across your various online logins, there’s an organisational cost. Most IT departments will tell you that the number one ticket they handle is resetting people’s forgotten passwords. There’s also a cost to forcing people to change passwords frequently – they often don’t do it, and need the password manually resetting by someone from IT anyway.
Passwords are valuable to us, which means they're also valuable to thieves. Stealing one gives them access to your money, your personal data – even your identity. They can use it themselves right away, hold onto it and watch what you’re doing to plan a bigger haul, or sell it on the dark web to make a quick profit.
The final nail in the password coffin may be that the ones in circulation are just too weak. According to Verizon’s annual Data Breach Investigations Report, 81 percent of of hacking-related breaches used stolen or weak passwords, indicating that we’re doing something wrong.
Password-less could soon be a reality
Making passwords work means finding a way to fix users. A better solution seems to be fixing the system, and the goal of a password-less future just got a little bit closer. In March 2019, the World Wide Web Consortium (W3C) announced that Web Authentication (WebAuthn) is now an official web standard.
Part of the FIDO2 Project, WebAuthn is an API that works in popular browsers. It lets users verify their identity using a range of authentication methods, including biometrics, an external device, a PIN, or the Trusted Platform Module (TPM) chip in the device itself. It already works on Android and Windows 10 systems, and is supported in the Google Chrome, Mozilla Firefox, and Microsoft Edge browsers.
WebAuthn is secure, convenient, and on its way
Under WebAuthn, the personal login information you use for a site never leaves your device, so it's much harder to steal than a password. When you register, you provide some form of authentication (like a fingerprint) locally. Your device then creates a key pair. It keeps the private key and shares the public one with the site. Next time you want to log in, you just need to provide your fingerprint to your phone, and your phone will log you in by exchanging keys with the site.
While the full scope of WebAuthn is actually much broader, it is commonly reported as a way to log into web services using a fingerprint instead of a password. It’s already implemented on popular sites like Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter, and hopefully its adoption by the W3C will soon see it appear on smaller sites and services.
As well as being convenient for users, this is good news for small businesses. While passwords won’t disappear overnight, WebAuthn promises improved security and an end to the headaches and risks of password-based authentication. It could be the end of credential theft as we know it. And, in any case, a user’s login credentials will be unique to every site, meaning that the scope of a successful theft is much lower.
Want to find out how multi-factor authentication would work at your small businesses? You can test out the technology with a free trial of Duo here.
And visit our dedicated page for more security advice for small businesses.
** alt title **
World Password Day is right: the future of cyber security is password-free
Find out why passwords are broken and why WebAuthn could be the solution the world needs to replace them.