Using passwords to access computers, IT systems and devices, online accounts… has been a standard for more than 50 years! Most of us have no idea it all started at MIT in 1961 to protect access to their Compatible Time-Sharing System.
Only a year later – the system was hacked! One of the MIT researchers needed more than his allotted four hours on the CTSS, so he stole the passwords of other users.
One could say that passwords were insecure from the very beginning, but still – something was needed to provide at least the basic security for our accounts, so they stuck around.
The scope of the password problem
Nowadays, we use our emails or usernames in combination with passwords to access everything. And by doing so – without another form of protection – we are opening up our digital lives to outsiders.
To understand how insecure it is to use this combination as the only way to log into an account, just visit Have I Been Pwned. While you’re there, check if your credentials have been stolen, but only a quick glance at the total number of emails pawned should be enough to make you rethink how you think about your logins. Especially when you consider that a small mistake or a bug can expose passwords of millions of users, like Facebook’s recently published mishap.
This month, we published a short video giving our view on just how insecure using e-mail and password for login is.
In a nutshell, using only username/email & password – will not actually protect you in the long run. Especially if you are, as many do, re-using the same password in many places!
New trends are changing the landscape
Last week, Harry wrote about PSD2 and how will it influence the authentication space. First and foremost in banking & fintech in European Union. But if its provisions prove useful – we will see it spread to other industries as well.
What I am referring to is Strong Customer Authentication and its requirement to use two out of three types of authentication factors: something you know, something you possess, and something you are.
The password fits into the first type and is not the only item in this group. So, depending on what users want to use – they can rely on two factors that don’t even feature something they know.
For instance, they could use their smartphone based verification (something they have) and combine it with a fingertip scan (something they are). This, depending on the type of smartphone-based authentication, can be smooth and fast & secure at the same time. Significantly better and more secure than the current method of combining email & password with SMS 2FA!
We need to adapt to user habits
Why having smooth authentication matters? Because users don’t like bad UX. Actually, they hate it! So much so that they stop their activities (ie. shopping) mid-process because of too much friction.
And when asked about their authentication preferences, 70% of users chose those methods that are easy to use, while only 45% prefer authentication that provides strong data security!
In light of that, and the changes PSD2 is bringing to the market, will not only secure bank & fintech customers, they will also motivate service providers to update authentication options, especially during shopping, to ensure the process runs smoothly until the very end (successful payment or other type of transaction).
Passwordless future is being tested
PSD2 may bring on the death of passwords, but it is not aimed at such a goal. Other projects are.
Google recently ran a pilot program to test passwordless registration and login using Google Accounts. It is a good effort, currently under development, but with recent successful phishing attacks on Google Accounts protected with 2FA – this one might not the best possible approach.
Microsoft announced moving on from passwords to their Authenticator app, but where you will still need to type your password once to log into the app itself. Its a step in the right direction, but limited only to MS app ecosystem.
There hardware token-based solutions replacing passwords, but you don’t need more details to understand its limited usefulness. Nobody wants such UX unless there are very high-security concerns that can’t be avoided in any other way.
Embracing the future
IPification fits perfectly into this passwordless future.
Based on secure communication between an app or a website and mobile operators server, and the data only the operator knows about the user, IPification can be used for a single factor authentication as an email/password replacement, as well as one of the factors whenever more than is used.
And private user data will not be compromised in any way – it is being sent neither from the app nor from the telco side – but only information about the device, SIM card and similar are checked against operators’ records to ensure identity!
We are not only ready for the passwordless future, but we are eager for it to happen soon. It will make the digital world more secure for all of us, and we want to play our part in it!