For something that’s supposed to ensure security and provide peace of mind, the modern password seems to have a lot of problems.
In fact, according to ComputerWeekly, between all of the profiles that the average individual has nowadays, it’s not uncommon for most individuals to need up to 50 passwords each. This is backed up by Analyst Emma Johnson’s advice pertaining to shopping safely online, which is to create a different password for each site that you shop with.
To put it succinctly, I call upon Forbes contributor, Tom Kemp, for the words that he wrote seven years ago:
If you factor in the growth in the number of usernames and passwords that existing Internet users have with the huge projected growth in new Internet users, the likely damage caused by lost and stolen passwords may very well follow “Moore’s Law” of doubling every few years. We need to step up and admit that we have a password problem.
Kemp is right. We do have a password problem, and it’s only grown in recent years.
The Problem With Passwords
There’s not just one problem that we have with passwords — there are a few. For one, passwords are hard to remember, even though they’re not that secure. This popular comic on XKCD illustrates perfectly, showing how most passwords are easy for computers to guess and hard for humans to remember.
They’re not that hard for criminals to obtain either. DeVry’s blog lists “hacked accounts” as one of the top five cybersecurity threats that could affect your life. This is due to scams such as phishing.
“In this practice, fraudsters create an email that looks like it was issued from a legitimate company,” write DeVry’s experts. “They will ask for a recipient’s personal information – like an account number or a password – and then use that information to commit financial crimes, such as opening fraudulent charge cards in a consumer’s name and running up big bills on them.”
Passwords are so insecure nowadays, and cybersecurity has reached such a critical point, that the world’s first global initiative against data breaches was just recently rolled out. The General Data Protection Regulation (GDPR) “applies to the prevention of data leaks by all enterprises that either do business within the European Union or from outside with a EU company,” writes Michael Nuncic with Ontrack.
The problem with passwords is that they simply aren’t strong enough to keep our gates secure anymore. So what’s the next step? How do we keep ourselves secure in cyberspace?
The solution: Get rid of passwords altogether
Enter Web Authentication
On April 10th, 2018, the World Wide Web Consortium (W3C) and FIDO Alliance announced that WebAuthn (“Web Authentication”) was promoted to the Candidate Recommendation stage, which represents the final stage in the Web standards process.
This spec is meant to be the password-killer that will allow us to rest a little more safely. Writing for ArsTechnica, Peter Bright explains that WebAuthn is a specification to allow browsers to expose hardware authentication devices — USB, Bluetooth, or NFC — to sites on the Web.
Wired even reports that Selena Deckelmann, senior director of engineering for Mozilla Firefox, has called WebAuthn “probably the most effective anti-phishing measure for the web that’s out there.”
“With WebAuthn-enabled browsers and sites, users can sign in using both integrated biometric hardware (such as the fingerprint and facial-recognition systems that are widely deployed) and external authentication systems such as the popular YubiKey USB hardware,” writes Bright. “With WebAuthn, no user credentials ever leave the browser and no passwords are used, providing strong protection against phishing, man-in-the-middle attacks, and replay attacks.”
So this essentially is a way for you to log into Facebook or Twitter using a physical key, such as as a USB or biometrics like fingerprints.
While this represents a huge step forward in terms of security, we should be careful not to rest on our laurels. Biometrics are great, but they aren’t necessarily as secure as we play them up to be. In fact, they may pose greater consequences if hacked than normal passwords — at least you can change a password. Your fingerprint, if hacked, can’t be changed.
Nevertheless, WebAuthn presents a great new way to implement security on the web and a correct step toward a safe cyber-landscape.