Are you someone who ends up clicking the “forget password” button on most websites, knowing fully well that the new password that you’ll generate will be forgotten as well? If yes, you’ll probably agree when we say that passwords are a burden to our memory. Although passwords have been around for a long time, protecting user information and providing online security, it’s time we ditch them as they have become severely prone to hacking.
A report by IBM states that 52% of data breaches were caused by malicious attacks, the average cost of each breach being around $4.27 million. Hackers have gotten significantly sophisticated with their phishing techniques, finding their way around the toughest passwords.
Most users tend to generate easy and memorable passwords such as significant dates, names, or catchphrases. A report by Verizon states that 80% of data breaches have occurred due to reused and repetitive credentials. Premium password-generating tools can crack these passwords in no time, making users’ sensitive information available at the hacker’s fingertips.
Is there an option for logging in without the hassle of recalling passwords? Can we go beyond writing our passwords down on notepads and placing them right beside our devices? In this blog, we will dig deep into the past and future of passwords and talk about a new horizon of secure authentication - going beyond passwords.
Password technology has been under constant evolution and has come a long way since the advent of digital passwords by MIT professor Fernando Corbato in the 1960s. He developed private passwords that helped individuals access their specific files in a Compatible Time-Sharing System and has been widely known as the “Father of Digital Passwords”. With the invention and release of the world wide web, more and more people began exploring the internet and uploading sensitive data on a regular basis. The need for online security had become the topmost priority, resulting in websites creating their own versions of passwords - wherein user information will be stored within the website database. However, this method wasn’t secure as user information was accessible by employees and this proved to be a threat to one’s privacy.
Next in line were hashed passwords and cryptography. The actual password created by the user was “hashed” using numerical coding that represents the actual password and stored in the website’s password database. Hashing passwords had been a huge success and is being used by several websites even to this day. However, hackers began using sophisticated phishing techniques leading to multiple cases of password breaches and causing companies to lose millions of dollars over the last few decades.
To enhance security features for web and mobile applications, several companies began using Multifactor Authentication - a process wherein users provide more than just a password to gain access to any web portal. The added information is usually in the form of a 6-digit one-time-password (OTP) sent to a user’s registered mobile number. While one may think of this as a supremely secure authentication protocol, the Times Of India has released an article stating 900,000 incidents of OTP fraud that occurred all across India in 2021.
Even with several milestones of evolution, there is only one underlying question: Is it time to completely get rid of passwords after all?
Although passwords have thrived for over 3 decades, they have become a real hassle in 2022. Millions of companies including various social media platforms and e-commerce websites have launched login/ signup portal that requires users to create an account and generate a password. An average user with active social life has about 100 passwords, paving way for Password Overload.
Maintaining a good password record can seem tedious and most users are guilty of reusing the same password over multiple accounts or not changing passwords for a long time. Additionally, users opt out of registering on websites with too strict password policies as it can be hard to remember.
A datasheet by WPEngine reveals the five most-used passwords of all time:
Implementing password-based authentication can also be cumbersome to developers as they are unaware of all the implementation details, making their code bases vulnerable to hackers. This means they might not be fully aware of a slight configuration change within a code can lead to security threats.
FIDO Alliance along with bigshot technology giants such as Apple, Microsoft and Google have teamed up to pave way for modern standards of authentication that goes beyond passwords. Passwordless Authentication is a revolutionary technology based on public key cryptography and it uses FIDO-certified digital credentials known as Passkeys, along with a user's biometrics to smoothly complete an authentication procedure, without involving any passwords.
Passkeys can be generated within seconds and is highly secure as it doesn’t rely on the user’s memory. Passkeys essentially contain two keys- a public key and a private key. While the public key is available on the server, the private key is stored within the user’s device, making it impossible for hackers to retrieve it. This ensures maximised online security without burdening the users. To learn more about passkeys, read our detailed blog on Passkeys.
With the release of IOS 16 and macOS Ventura, passkeys have been made available to all Apple users. With time, several other companies will also introduce passkeys into their websites/mobile apps. While passwords are nearing their potential doomsday, passkeys have immense potential of creating a thriving online ecosystem completely safeguarded from the shackles of cyber thefts.