The Demise of the Password
In recent weeks security researchers have been able to publicise discoveries of data dumps containing over 2.9 billion email addresses and password, labelled ‘Collections #1-5’, that have been sitting in folders on a popular hacking forum.
While the sheer number of credentials exposed in these leaks are astounding, it’s not surprising, as it only added to the billion plus passwords we already knew were floating around on the dark web. Below Andrew Shikiar, chief marketing officer of the FIDO Alliance, explains why the classic password is on the down.
What is surprising is the continued reliance of traditional username/password authentication, despite knowing it is easily breached and susceptible for compromise via credential stuffing attacks.
The problem of authentication has indeed risen to the forefront in recent years as a vast majority of publicised high-profile data breaches have been traced back to weak and shared credentials; usually a username and password combination stored in easily exposed, central databases that hackers can easily infiltrate. Even among IT professionals, who should lead the way when it comes to secure authentication, 69 percent share passwords with colleagues, and over half reuse an average of five passwords across business and personal accounts, according to a recent survey. With nearly 50% of shopping cart abandonment being due to password issues (per a Visa study) and a large proportion of costly IT support calls within enterprises related to passwords, weak authentication is also becoming an economic burden for many businesses.
The good news is that the tide is turning. Rather than encouraging users to change all of their online passwords – which more often than not results in easy-to-remember passwords being recycled across different accounts – website and app developers can now look to new web standards from FIDO Alliance and W3C for strong authentication that will enhance security while improving the user experience. As service providers start to turn on these capabilities, we’ll begin to see an accelerating shift away from passwords – which in time will consign credential leaks such as Collection #1-5 to history.
Mobile devices, PCs and web browsers are now shipping with the capabilities for strong authentication – combining cryptographic protection of user authentication credentials, which can’t be phished and in fact needn’t ever leave the user’s device, with a low-friction user. By building applications and websites that support new web standards for strong cryptographic authentication, developers can now leverage these authentication mechanisms that are literally already in their users’ hands — from fingerprint, iris, face or voice recognition in PCs and mobile devices to portable hardware security keys — to improve security for their businesses and their users.
As 2019 progresses we are surely going to see biometrics and other embedded authentication sources continue to contribute to an enhanced customer experience. The new version of 3D Secure, for example, will be optimised for mobile devices and enable the implementation of secure biometric user verification. Biometrics are likely to impact the financial services industry as well, given their potential to enhance organisational and consumer demand for transaction convenience, while ensuring compliance with regulations such as the Second Payment Services Directive (PSD2)
While this development is welcomed, the industry needs to continue to commit to creating and implementing technical standards and established best practices, which can also inform emerging government regulation around this technology. Organisations may not be able to eliminate all passwords immediately, but 2019 should be the year that dependency on them begins to decline, as companies look to improve processes and aim to eliminate the burden of managing them — setting the stage for broader enablement of password-free online experiences as we head into the next decade.