Passwords are becoming irrelevant, but replacing them requires open protocols rather than closed systems, opines this authentication technology expert.
Passwords are a decades-old example of an open standard for authentication, that has evolved through new security capabilities for providing authentication at low cost.
Without a doubt, user authentication remains a critical security action for all organizations, but open security standards have a safety added impact on users and we should care about this if we want more cybercriminals to fail.
Why do open security standards exist? Because these standards establish protocols and building blocks that can help make applications more functional and interoperable so that every user has a consistent experience across the board.
For example, the reason you can read email is because of a standard that was originally called USASCII that defined which bit patterns made which characters. The reason that we can communicate via mobile phones is because of the GSMA cellular standard. The list goes on, but internet security is no exception.
Outgrowing passwords
As the decades old password system has become a source of significant security challenges, new open standards are needed. Users continue to choose weak or simple-to-guess passwords and reuse the same passwords on multiple services.
The real key is that open standards are implemented reliably and consistently to create efficient and trusted conditions through economies of scale that make it possible to implement secure systems. Without open standards, security evaporates.
In early 2019, Web Authentication, or WebAuthn, became an official World Wide Web Consortium (W3C) standard. The specification allows any service such as banks, email providers, or online gaming firms, to request an authentication token that the authenticator (including mobile apps, hardware tokens, or biometric sensors) can provide.
By separating the authentication step from service access, the WebAuthn standard gives users access to a broad range of potential authenticators, most of which do not require passwords. WebAuthn is currently supported in Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers, as well as Windows 10, iOS, and Android platforms.
Sites that support WebAuthn include Google, Dropbox, GitHub, Okta, Twitter and Microsoft. Last year, Google rolled out an update so people with iPhones could use WebAuthn with more types of security keys as the second factor to sign into a Google account with.
Since the en masse move in Asia to remote-working, credential theft has risen to the top of the cyber attackers’ focus. This has meant that organizations need to introduce and rely heavily on multi-factor authentication to re-establish trust with their users that are remotely connecting to the corporate network and assets.
If the only authentication is a password, users are not protected against the numerous cyberattacks uch as credential-stuffing. Adding a second factor is a game-changer. Even one of the weakest forms of two-factor authentication, which is two-step verification through SMS text messages—is better than nothing. However, it pales in comparison to other multi-factor authentication methods like security keys that can stop 100% of all targeted attacks, according to Google.
With the significant rise in cyberattacks now top of mind for many organizations, now really is the time to be implementing the open security standards, because it is no longer a matter of if, but when an attack occurs.
User ergonomics a priority
There is no sense in implementing harder-to-use security standards when the target audience will just find a way around it. That is why the industry and the FIDO Alliance, along with W3C, have focused modern open authentication standards on ease of use.
Defining this open standard has realized a simpler user experience, reduced cost of ownership and strong security to minimize adoption challenges. The user experience must be easier than what is in use, involve a personal identification number (similar to an ATM card), a biometric or a touch, alongside a secure external hardware device (security key).
The new system must ease the current pain felt by some users struggling to keep up with ever-increasing demands for password complexity and differing methods of getting access to their daily online activities.
Ultimately, open standards have benefits for user experience, identity, authentication and provide stronger security. Our belief is that open security standards are actually more secure, not less than the closed proprietary standards, but when combined with the ergonomics and convenience can be a win-win proposition.