Can we live without passwords?

More passwords, less security

The explosion of online services has led to a drastic increase in the number of personal and professional accounts – some 191 on average, according to a study conducted in 2017. As a result, the re-use of passwords from one account to another, or the creation of passwords following an easy-to-guess pattern, are common bad practices.

So how can IT managers properly secure access to a corporate network, when half of the employees authenticate with the same password they use to log into their Amazon or Gmail accounts?

It’s a difficult question, and offloading the responsibility onto users by imposing increasingly complex and heterogeneous password rules does not help. In 2016, of all compromised passwords, “123456” was used by almost one in five victims.

In response to the explosion in the number of credentials, some companies offer proxy authentication services or password safes, but these introduce single points of failure

And even when we, users, respect the rules, the companies managing our data may not, while they are themselves exposed to vulnerabilities in technologies they do not control.

In response to the explosion in the number of credentials, some companies started offering proxy authentication services or password safes, but these introduce single points of failure.

Safes are software, and as such they can have vulnerabilities. Cracking the safe’s master password grants access to all the credentials saved. As for proxy authentication services, the latest data breach affecting Facebook is an example of the consequences of such practices.

Gemalto estimates that over the first six months of 2018, more than 4.5 billion pieces of personal data have leaked – nearly 300 per second.

In this context, is it even possible to authenticate securely?

Can we fix passwords?

To sum up, on one hand, users have too many passwords to manage, while on the other, passwords leak from datacentres on a daily basis.

On the user side, targeted awareness campaigns do improve password hygiene. Password safes also offer a first response with the ability to generate complex passwords, though they rely on a master password. Furthermore, the global impact of awareness campaigns remains limited, while password safes are far from popular among non-experts.

To avoid the risk of interception or password leaks, one solution is to perform the authentication on the user side. Fast Identity Online (FIDO) is an alliance of companies united around this concept; today, more than 1.5 billion users can authenticate without any password ever being transmitted out of their computer. A physical device owned by the user manages the authentication process and indicates to compatible online services that these users are indeed who they claim to be.

FIDO offers a solution that eliminates the need to remember each of our passwords. However, most implementations still work with a PIN. And as in the case of credit cards, a PIN can be stolen, even if the probability remains low.

Can we then envision a future in which we’ll authenticate without having to remember anything? Can we live without passwords?

Multifactor authentication

Living without passwords, or any other type of information to remember, is possible today. Doing so in a sufficiently secure manner, however, requires the implementation of the most fundamental principle of modern security: defence in depth

Invented in the 17th century by a French military engineer named Vauban, this principle has protected stone castles, nuclear plants and computer networks. In terms of authentication, the implementation of this principle relies on three types of factors: 

• Type 1: Something we know, such as a password or PIN.
• Type 2: Something we have, such as a door key or a blue card.
• Type 3: Something we are, such as fingerprints or DNA.

Nowadays, an authentication mechanism is considered safe enough for public use if it relies on at least two factors from two distinct categories. The combination of a password and a temporary code sent by SMS is probably the best-known example.

However, while it is true that circumventing such a mechanism is not simple, it is essential for each factor to be secure “enough”. Codes sent by SMS are not secure because mobile phones can be spoofed, and badly chosen passwords are no good either, as discussed above.

Adding a Type 3 factor could prove to be a solution, and it is indeed the case in highly secure environments, but too cumbersome for the general public.

So, can we live without passwords, without compromising on security?

#Passw0rdsNoMore

A combination of Type 2 and Type 3 factors offers an authentication solution requiring no memorisation effort.

A concrete example of such a solution would be a FIDO-compatible digital key with an embedded biometric sensor. Such a device has just been put on the market.

Solutions therefore exist, but widespread adoption will not happen overnight.

Security is a process that evolves in parallel to the threats. Today, passwords are the crown jewels that attackers desperately try to steal, because they are so critical to digital security. Tomorrow, it may be biometric solutions, which, by the way, are not fail-proof.

New authentication protocols will bring about new dilemmas. What will we do when our fingerprints become part of the public domain?

Other authentication solutions solutions will emerge, which attackers will crack, and so on.

In the meantime, for us to look forward and embrace the fourth industrial revolution, we need to solve today’s problem and leave our passwords behind.

Bruno Halopeau is head of cyber resilience and Adrien Ogee is project lead for cyber resilience at the World Economic Forum’s Centre for Cybersecurity.