February 12, 2019

The Password Is Dead: The End of Password Logins, and What Will Replace Them

Did you make sure to add a capital letter, two special characters, a number?  Oh, and you can't include your name in that. Make it at least 10 characters long without dictionary words.

Where did all these rules come from? Why are password logins so much trouble?

These standards come from the fact that password-hacking techniques like brute-forcing and social engineering have become too prevalent.

The World Wide Web Consortium, the wizards of the Internet, have declared the password obsolete. Codes are out, multi-device public key authentication is in.

WebAuthn, the movement for revamped web security, is working with the FIDO Alliance to change the way we think about the Internet. Will you be left behind?

Why Password Logins Suck

Passwords seem only logical for security. To prevent everyone from accessing everything, lock accounts with something only the owner knows.

Once irreversible encryption ("hashing") became a thing in the 70s, passwords were the standard in cybersecurity. But this was not without its downsides.

For one, most people use simple stuff for passwords. Birthdays, dictionary words like "love" or "sex", "123456", and so on. People use public information to make a private key code.

Second, there are plenty of ways passwords can be wirelessly intercepted or stolen. The fact of the matter is that most people using the Internet aren't experts, and so easily tricked into giving away valuable information.

Third, it's an inconvenience to have a lot of passwords. That's why most people use the same password for all eight of their social media accounts. If a malicious user gets a hold of one password, they may have your whole life.

The ultimate issue with passwords is it puts too much burden on the end user. There are many vulnerabilities in modern Internet technology, and you can't be expected to deal with them all.

Public Key and Multi-Factor Authentication

In recent years, we've seen the dawn of new security techniques. The most important is multi-factor authentication, which forces a user to go through multiple layers.

For example, when you put your chip in a debit card reader, it's using a form of geolocation security. It says, "OK, the physical card is here; the person didn't just enter the numbers."

But the reader might go on to ask you for your four-digit PIN. It knows the card is present, but it wants your passcode. The two layers of security make for the current best practice in conducting transactions.

On the other hand, public key user authentication methods are what's going to replace passwords. It works like this:

A user wants to access their account, entering their username and password. The system then texts a code to their phone. The user enters the SMS code on their computer and is granted access.

The public key is what both the user and the service see, but no one else. 

Sounds simple enough, right? You might've even done it before. It's significantly stronger than password security, along with these alternatives:

  • Biometry. Users access applications by taking a selfie, using their voice, or tapping their fingerprint. All of these are powerful but have limitations. For example, "master key" fingerprints can be generated. Read more about Biometric Authentication in this post.
  • Geolocation. Device location can provide insight into who's using what.
  • Games. Users solve a short puzzle unique to them.

Soon password logins will be obsolete as other technology and programming allow for better options including no password login options offered through technologies such as eGuardian®.

What's to Come

You can expect password logins to be overturned in the coming years since WebAuthn is in its final stages. It's a necessary transition towards the future.

But also expect biometric, geolocational, and public key cryptography to pass. These all have their limitations, and can certainly be exploited. 

We are working towards a brighter day of security, where all people can rest assured that what's important to them is safe. Our goal is your peace of mind.

Get in touch with one of our experts to figure out how to implement cutting-edge security practices in your technology.

no passwords password logins