A future without passwords

When people try to describe their very version of dreams come true, they narrow it down to purchasing that dazzling car, building a castle, gliding round the world, going to space and in most cases marrying their dream girl. That’s for them but what I might term my own dream come true is logging into my online platforms, each and all of them without needing a password and yet it is still safe.  It’s called a paswordless future. It is a knowledge never in doubt that passwords are most essential when it comes to online safety; that being the truth, passwords have encountered quite numerous threats which include but not limited to poor passwords and phishing, the greatest of the herculean nature of passwords happens to be the need for you to have a million passwords for your million online platforms as it is never technically advisable to use one password login identity as this may compromise and bring you to data ruin, remembering all these passwords is a dreary experience and the process of password recovery is quite rigorous and to be sincere I have left so many platforms because of my inability to recall the password after many months and the recovery attempt was vain. So if there is something I will wish for more than a kid wishes for Santa Christmas gift then it is a future where passwords become irrelevant.

Tech developers have also sighted this password issue in time past hence the introduction of things like the face verification, thumb printing, 2-step verification and password manger. But it would be a daylight bluff to say that these introductions have shown a way out from the strenuous hurdle subjected to Netizens by passwords.  Face recognition for example mostly work in unlocking your hardware devices like your mobiles, tablets, and PCs and it has not been totally integrated to many online and social platforms as login verification. Secondly the use of face recognition only identifies a specific facial pattern hence you must adjust your facial mood to that exact facial mood you had on when you set it at first. Sometimes when peradventure you had a very rough night and wake up at dawn, you may have a slightly disfigured face, other times the face might have been swollen due to allergy and fever; at such times, your device will not recognize your face login hence you have to take the Hobson’s choice and “TYPE IN A PASSWORD”.

Same challenge goes with thumb-printing. As a matter of fact thumb-printing happens to be my worst form of recognition because of the issue of sweaty palms; my devices can hardly recognize my thumb. Same if you have bandages or a cut in the thumb your device bares you from accessing like a thief is barred from breaking into a house and your very last option is to “TYPE IN A PASSWORD”

The two step verification of solving password problems is a Multifactor Authentication (MFA) that uses the method of typing in a password as a starting point and then a nonpassword authentication as the second method. With the 2-step-verification method it is certain that the purpose is being defeated because what we are striving for is a word without password and how can such be achieved by first typing in a password.

The issues of passwords have become a global concern to a point that a day in a year is dedicated as the World Password Day. If you are not aware of that now I’m telling you that passwords have proven to be a force to reckon with so much that every first Thursday in the Month of May is dedicated to passwords.

Typically, employees of an organization are obligated to create complex and unique passwords, remember them, and change them frequently. They are expected to remember around 10 to 30 different sets of usernames and passwords to perform their tasks. Making matters worse is that they must deal with quite a few digital accounts in their personal life.

This, inevitably, has led to the reuse of the same weak passwords, sticky notes filled with passwords, and frequent reliance on the ‘forgot password’ function.  No wonder passwords have become a prime target for cyber attacks. According to a recent Verizon Data Breach Investigations Report, over 80% of data breaches are due to compromised passwords.

research shows that twenty three percent of surveyed users always use the same password, forty two percent of users tend to write down their passwords, twenty percent of users routinely share their passwords while fifty six percent of employees reuse passwords across personal and corporate accounts

Every effort shot at eroding the concept of “TYPE IN A PASSWORD” will either begin with “PLEASE TYPE IN A PASSWORD” or end with “YOU NEED TO TYPE IN A PASSWORD” leaving us to the biggest question to answer; Will we ever do away with passwords completely?

WILL THERE EVER BE AN END TO PASSWORDS?

There have been mixed opinions about the total eradication of passwords where some showed optimism, other people tend to refer to it as a wild goose chase. Analysts had tried to offer their opinions regarding this aching question. Mahdi made a prediction that time will surely bring about the eroding of passwords, he said that with the aid of vendors such as Google and Microsoft making big investments in paswordless achievements.

Other people also believe that the use of passwords will just diminish to the barest minimum but not altogether done with. But if we take a look at where technology is now you wouldn’t have predicted the possibilities of what have been achieved in the present day twenty years ago. According to Ghazi, passwords will never be all dead, even the usage of an authenticator will be in need of a PIN and a legacy system. Ryan another analyst who spoke agreed that the daily use of passwords will likely go away but not passwords completely. “Maybe we will reach a maturity level where passwordless is the experience for the front end. In the back end, there will still be passwords so legacy tech can talk to each other”; words according to Ryan.

AT PRESENT, HOW CLOSE ARE WE TO ACHIEVING THAT FUTURE WITHOUT PASSWORDS?

The closest to achieving the ultimate goal of a future requiring no passwords is the milestone achieved by FIDO. FIDO is short for Fast Identity Online. FIDO is an open industry whose main objective is to enable the simplest and the strongest form of authentication. This alliance was formed in the year 2012 and incorporates the biggest names in tech industries like Apple, Amazon, Intel, Lenovo, Visa, Google, Microsoft, Apple, Samsung and Paypal.

Fido seeks to bring to extinction vulnerable knowledge factor, it topples the login process by making standard usage of hardware devices such as Security keys for authentication. MFA grants access based on the presentation of evidences in three categories something you know(e.g..a password), something you possess (eg, a hardware) something you are (e.g a biometric)

These standards succeed in creating a unique frame work that will put to flight common attacks experienced by passwords which include but not limited to password reuse, phishing,  and Main In The Middle (MITM) .

FIDO2 standard is a masterpiece as it enables passwordless authentication based on public cryptography.  Its specifications include WebAuthn and Client to Authenticator Protocol (CTAP).

WebAuthn makes hacking almost impossible by enabling online services to use FIDO authentication through standard web API which can be built into different platforms and browsers. FIDO2 is currently supported by browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Windows 10 and Android platforms.

The working process of FIDO leverages stronger authentication made available through cryptographic login credentials that are unique across every website.

During  a Netizens registration with an online service, the users device will create a private key.  The private key is retained while the public key is registered with the online platform.  The authentication process is successful when the user proves that he possesses the private key to the service by using it as a response to a set task. This private key is only useful when the user unlocks it locally on the device either by scanning a fingerprint, pressing in a button, inserting a second factor device or speaking into a microphone.

When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.

Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account. The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone.

To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.

Although FIDO concept is considered as an extraordinary invention in security, most people still find it difficult to comprehend.

Many organizations have shown little interests in dumping the passwords they are familiar with and take on the process of security keys that need to be set up and registered . Only a little percentage of customers are pursuing the FIDO concept technology but with current analysis which shows that over 50% of businesses worldwide are facing the need for stronger authentication, it is likely that they would bulge in to utilizing the FIDO authentication technology. Based on the fact that World Wide Web Consortium has paved the way for greater use of browser based authentication; this speaks well for the future of worldwide implementation of FIDO tech.

The passkey no doubt is likely to bring us less than a step closer to the passwordless future that is being mapped out for over a decade.

It calls for excitement what the passkey and the future holds. Although it becomes necessary to quite understand that the process will still take time for this technology to be available on everyone’s devices and for website and app developers to take advantage of them. Passwords for the main time will continue to be part of our lives as we gradually make this transition.

Despite the numerous advantages that passwordless authentication brings which include improved user experience, no more need to worry about password creation, protection against brute force attacks, strengthening of cyber security posture, reduction of cost in the long run; the biggest challenge it will face still remains acceptance.

Users will still be hesitant in trusting passwordless technology. Since the introduction of password concept in the year 1960, it has become a fundamental authentication and security over the years. Most of us have even set autofill (auto-login) password functionality for our email accounts, applications and websites. Some of us use password managers to set up and manage tons of complex passwords without the slightest hassle of having to remember them.

These paswordless authentication process though they are easy and convenient, they are also less familiar than the traditional password based security which can most at times be scary . But since some of the paswordless authentication are involving the supply of new OTP or PIN every time, some people might be resistant to change.

In an organizational setup, autofill passwords provide ease to employees when they have to access a large number of applications, resources, and software every day. OTPS and scanning can be annoying at times.

That being said the best we can do is to observe and implore optimism until this process of paswordless authentication is completed as it is presently undergoing phases of testing and trials. They might make modifications which to make it simpler than imagined, safer than expected and more accessible than envisaged. Until then I really want to ease up the use of passwords as they have caused me a whole lot of troubles in the recent past.

We will like to get your feedbacks in the comment section below regarding to the above topic.