Why passwords can be a thing of the past – Times of India

Smartphones are ubiquitous these days and so are apps and the multitude of things they bring with them. For every app – except for a few – you need a password. Actually there are just too many passwords in people’s lives. If passwords alone weren’t enough to infuriate you, there’s this whole concept of storing ‘difficult’ passwords – some need a capital letter, some need a special character, some need a number – and you really start to wonder about the whole password threat. Is a passwordless world possible? ApplegoogleMicrosoftIBM and many others seem to think so.


How does a world without a password work?

FIDO Alliance is an open industry alliance that went public in 2013. The idea was to reduce the world’s over-reliance on passwords. It’s been almost 10 years since FIDO Alliance worked towards a world without passwords, but it’s closer to reality now. Andrew Shikiar, Executive Director of FIDO Alliance, explains how a passwordless world will work.
It all starts with FIDO credentials – or cryptographic keys – stored on laptops, phones and other devices and can be used for secure authentication. When a FIDO credential is automatically synced from the device it was originally created on (usually a phone or computer) to another user’s device, it’s called a “multi-device credential.”
This new functionality builds on the previous capability for “single device credentials”, a FIDO credential that is only available on a single device and cannot be backed up and restored in this way. “This latest advancement is important in moving towards more ubiquitous passwordless solutions, as it allows users to transfer credentials between devices,” explains Shikiar.
In layman’s terms, it will be very similar to using a password manager that helps the user to login. However, the level of security is better than even traditional two-factor authentication, all without the need for additional steps or devices during authentication.


Just like password managers do with passwords, it relies on the OS platform to sync the cryptographic keys associated with a FIDO credential from device to device.
Apple, Google and Microsoft – the world’s largest platform providers – have confirmed their commitment to supporting these passwordless login standards. “The road to eliminating passwords can be a long one, but this is a critical step to make it a reality for both consumers and businesses,” said Shikiar.
With all the leading platforms joining forces, Vishal Kamat, director of IBM Security, IBM India Software Labs, believes the opportunity is huge “for solution developers to integrate security into the fabric of their solutions while delivering a consistent consumer experience across the business.” application landscape.”
Sampath Srinivas, PM Director, Secure Authentication, Google and President, FIDO Alliance, gives more details on how it will work on the phone in a blog post. The phone stores a FIDO credential, called a password, which is used to unlock your online account. “The password makes logging in much more secure as it is based on public key cryptography and is only shown to your online account when you unlock your phone,” notes Srinivas.
If you sign in to a computer, you will need to access the phone as you will be prompted to unlock it to gain access. However, this will be a one-off, explains Srinivas. “Even if you lose your phone, your passkeys will be securely synced to your new phone from the cloud backup, so you can pick up where your old device left off,” adds Srinivas.
Shikiar of FIDO Alliance says the three fundamental benefits of a passwordless world are: logging in becomes easier for the user, is phishing-resistant and offers a more robust system. It’s no surprise that people forget passwords – it could be for Uber that you haven’t booked in months or an old email address you want to use. The problem is that if they are old accounts, you would not remember the backup email ID or phone numbers. As long as you have a phone, a user can log in because there is nothing to forget.
For service providers, this requires some updates to their authentication and identity systems to enable the FIDO capabilities.


“Hundreds of technology companies and service providers from around the world have collaborated in recent years within the FIDO Alliance and W3C to create the passwordless login standards already supported on billions of devices and all modern web browsers,” said Shikiar. †
“Passwords are quickly becoming obsolete and it’s really a matter of ‘when’ and not ‘if’ we will have a world without passwords,” says Kamat. It’s no secret that passwords – weak or stolen – are by far the leading cause of cyber attacks today, and as a result, passwords have become the weakest link in the cybersecurity chain.
Sundar Balasubramanian, managing director, India, and SAARC, Check Point Software Technologies believes that a passwordless scenario could become a reality as standards for a passwordless environment become more established and the number of passwordless advanced authentication techniques grows.
“Using distributed ledgers (i.e.: blockchain) to store digital identity information, making decisions about multi-attribute authentication using AI technologies such as risk-based authentication, and adopting Zero Trust frameworks for securing digital information are some of the trends that we expect to mature in the next 2-3 years,” says Kamat.


What will happen to user privacy and security in a passwordless world?

Shikiar believes that cybersecurity health will be dramatically improved without passwords. Passwords and second-factor authentication like OTPs and in-app push notifications are clunky and insecure. “They can be phishing, and they to be is widely phishing these days,” he adds.


Balasubramanian, on the other hand, believes that passwordless authentication appears to be a secure and simple method, but that it comes with its own set of problems. The financing and migration problems can be counted among the most urgent problems. He goes on to explain that “malware, man-in-the-browser and other attacks are possible even with passwordless authentication. For example, cyber criminals can install a software patch to intercept one-time access codes (OTPs). They can even infect web browsers with Trojans to intercept shared data such as one-time access codes or magical links.” Furthermore, cyber criminals have proven that voice recordings and other biometric identifiers have also been duplicated.
Kamat also sees a world without a password as an opportunity. “It is an opportunity to modernize our authentication systems by leveraging newer technologies that will improve the consumer experience and make our transactions more secure,” he explains.
Having support on everyday devices is critical, says Shikiar, who believes a passwordless world should be approached with the ubiquity of passwords and SMS OTP. That is why he believes the commitment of Apple, Google and Microsoft is important. “Their deployment will also provide service providers with more diverse options for deploying modern, phishing-resistant authentication methods,” he adds.
“It is undeniably a huge step forward in secure authentication for the common user, who is unlikely to use the strongest passwords, but is statistically more likely to reuse them across sites and services,” Balasubramanian said.


#passwords #Times #India

Leave a Comment

Your email address will not be published.