Are we really ready to kill off the username and password?

By Vince Warrington, founder, Protective Intelligence

It is understandable that IT teams and data protection experts are advocating improved methods to authenticate user identity in apps and cloud services.

According to a recent report from Telecomms giant Verizon, two out of three data breaches today are due to stolen passwords or misused credentials. A grim statistic, but an unsurprising one particularly given that the term ‘password’ was the second most stolen password in 2016, with ‘123456’ and ‘qwerty’ close behind, according to a report from SplashData.

Another security software specialist, Skyhigh Networks, recently analyzed 11 million compromised passwords for sale on the darknet and identified the 20 most common passwords used today. These 20 passwords are so common that they are used by over 10% of users.

But the answer does not simply lie in creating longer, more complex passwords with at least 10 or 12 characters in lower and upper case and with a mixture of numbers and special characters.

These are what many app and cloud service providers are increasingly demanding, to keep accounts and personal information secure. Nevertheless, and however complicated the password may be, the reality sees users struggle to remember them and more likely to reuse on multiple accounts that demand a strong password.

According to a study from the University of Cambridge, a staggering 31% of online users reuse the same password for several of their accounts.

Although long, complex passwords might take longer for a hacker to crack, the fact remains that passwords, no matter how elaborate, are increasingly being stolen in large cyber attacks. Thanks to the vast computing power at cyber criminals’ disposal, it is becoming increasingly easy to compromise passwords in a brute-force attack.

The IT and security industries are well aware that better forms of authentication are needed to protect our data in an increasingly hazardous online world, and many are working tirelessly to create a variety of new solutions to make identity authentication a harder process for cyber criminals to infiltrate.

Biometric sensors are entering the mainstream and found on more and more devices. iPhone users are happily embracing Apple’s fingerprint biometrics and facial recognition tools to authenticate their identity, and iris scans and voice recognition are also starting to make a mark.

But it is a little simplistic to assume these new biometric alternatives – itself still a work in progress – will replace the humble password.

For many IT professionals, the answer lies in some form of multi-factor authentication procedure.

As the name implies, multifactor authentication (MFA) requires more than one piece of information to gain access to sensitive data. This can be a combination of password and biometric authentication, or text-based authentication, where a user types in a four-digit code sent by a site to a device, via SMS.

Mobile-based authentication is certainly becoming the benchmark standard for many online businesses, but it does not come without its own issues. Unfortunately, mobile devices are not always secure and a growing number of malware is being specifically programmed to target them.

With all their drawbacks, passwords have remained popular mostly because users are creatures of habit and have adopted them into their cyber-routine. Before postulating that any new security may replace passwords, perhaps the real obstacle is user experience; any new security would also need a positive experience attached.

What seems to tick both boxes here is the emergence of new, password-free, mobile push-based authentication systems, which increase security but do not impact on customer experience.

Authentication is carried out automatically, with no excessive demands on users, and the device itself becomes the prime method of authentication. The first time a user signs into a website, they will be asked to scan an on-screen QR code with their mobile device. This creates an ID tether between the user and their device. The next time the user logs in, a push notification is sent to the device and all they have to do is tap ‘approve’ in order to proceed. These messages are sent using a different network – generally, the cellular network – making interception by malware or other criminal monitoring of data activity very difficult.

Although multifactor authentication processes are likely to increase, we predict that Push-based device authentication will eventually become the main authentication method within the next ten years.

Until then, it’s clear that creating unique complex passwords and changing these often on all your accounts, will continue to play an important role in keeping your personal data secure with password vaults such as LastPass, which decrypt your data at rest, and demand MFA for access, becoming instrumental to any online experience. It allows the user to keep track, store and retrieve all the new complex, unique passwords they have created.

The password it not dead yet, rather it is experiencing gradual retirement.

Related reading