Passwords have been a fact of life since the dawn of the World Wide Web. The internet is inherently insecure because it was never designed for public access, so passwords became essential for authenticating users and protecting their personal accounts. But over half of all users find passwords a hassle, so they just reuse something simple and memorable – like the neighbor’s dog’s name – for their growing list of online accounts. After all, who would want to hack an account at the local public library?
Lots of people would, it turns out. The common practice of reusing simple passwords created a field day for hackers, making identity theft a household term. The hacker who gains access to your boring library account might successfully use the same password to hijack your email – or even your bank account. Cyber criminals also use powerful tools to make successful guesses at what might originally have seemed like a clever password. A good online password strength checker can be a humbling way to reveal how vulnerable your existing passwords really are. Lazy password management is clearly obsolete, but thankfully there are alternatives to creating and memorizing dozens of meaningless character strings.
Your browser probably asks you if you want to save each new password, but clicking ‘OK’ might not be such a great idea. Most popular browsers store saved passwords in plain text, leaving them essentially unprotected. Thankfully, password managers like 1Password and Dashlane take the concept to a new level, generating and memorizing bulletproof passwords for you and storing them in an encrypted vault to which you alone have access. These programs also offer more sophisticated online form fill-in capabilities than browsers, and can even store important data like your passport number for access from anywhere. Indeed, password managers not only provide vastly greater security, but they eliminate all the frustration of having to deal directly with passwords, making sign-ins as easy as they are safe.
No matter how strong, a password is a digital key stored on a server somewhere – a key that someone besides you could use if they stole it (or tricked you into handing it over). For this reason, big players like Microsoft and Google have been transitioning away from the username-plus-password authentication model for many years.
The Fast ID Online alliance (FIDO) claims that passwords are the root cause of over 80 percent of all data breaches. Since 2012, FIDO has been developing open standards for authentication based not just on “what you know” (a password), but also “what you have” (your smartphone, for example) and “what you are”. Like its name suggests, multi-factor authentication uses several parameters to ensure that the person accessing an account is who they say they are. Let’s examine how these two parameters are being used today, and what future possibilities they may hold.
Perhaps the most familiar example of multi-factor authentication is the two-step verification used by many sites and services. Typically, you request access through a website, a verification code is texted to your smartphone, and submitting that code to the website within a limited timeframe will grant you access. Sometimes a scannable QR code is used instead of a numeric one, but the principle is the same: a thief would need access to both your smartphone and your account password to get anywhere.
An older, simpler example of the “what-you-have-plus-what-you-know” paradigm comes from personal banking. Putting your bank card (what you have) into an ATM and entering your PIN (what you know) are all that’s required to access your greenbacks. Newer interpretations of this approach use Bluetooth or RFID to connect a small hardware key in your pocket to a nearby system and ask it to trust you. But as physical keys and cards can be stolen, there’s clearly a need for a more definitive form of user identification.
This is where “what you are” comes in. Fingerprint scanners on smartphones and notebooks do a great job of blocking access to anyone other than the authorized user. More recently, facial recognition and retinal/iris scanning technology have been making the transition from sci-fi to your desktop. Biometric authentication is advancing rapidly. Coming advances include smartphones that can identify you by the shape of your ear, and DNA authentication – the ultimate accurate identification of an individual.
If having your DNA analyzed before you can browse the web sounds too Orwellian, an authentication practice known as behavioral biometrics might feel more comfortable. As in physical biometrics, behavioral biometrics collected data is used to help establish your identity. This data could come from your typing style, how often you blink your eyes, or even the angle at which you normally hold your smartphone. Along with less exotic information like your geographical location or device’s OS, the data is used to build a “trust score” – a metric that online services use to decide whether they can trust you.
So Long, Barney123
The need for businesses and individuals to protect themselves from cyber threats will continue to drive the development of increasingly sophisticated authentication methods. For now, password managers do an excellent job of allowing you to safely navigate the vast legacy of old-school authentication with the convenience of fingerprint scanners – all without having to remember the neighbor’s dog’s name.
Best Password Managers of 2020
|Editor's Choice 2020|