There are some science fiction promises that can await such as vests and flying cars or colonies on Mars. However some of them seem more achievable goals and are sometimes so close that running over the horizon. We are talking about the end of passwords. The good news is that the infrastructure, everywhere across operating systems and browsers, is now up and running, giving way to password-free authentication. The bad news? Every day you set passwords on various websites and services and so it will continue for some time.
There is no doubt that passwords are a real security nightmare. Creating and managing them is so irritating that people often use the same password or simple passwords to detect. The opposite is with passwordless authentication which has attributes that are much harder to steal such as biometric authentication. No one can detect your fingerprint.
Most likely you use a version of these systems without passwords such as your smartphone scanning either face or finger instead of a multi-digit code. The mechanisms in question work locally on the phone and do not force companies to store your passwords whenever you want to access a service. You can even use physical contact or wireless keys to log in without a password. The idea is that one day these password-free methods should be used in almost every online service.
“All the links in this chain have reached a level of maturity that their use can easily pass from technology enthusiasts to the masses,” said Mark Risher, a Google executive in charge of security and identification systems. “There is already full support from the platform, they work with all major providers and are becoming easy to use by anyone. Previously, we as an industry had no idea how to get rid of passwords. It will take some time now, but we are close. “
In late June, the launch of Microsoft Windows 11 came with a big promise, deep integration of password-free authentication. Apple a few weeks ago with the introduction of iOS 15 and macOS Moneterey, said it would incorporate a new option called Passkeys in iCloud Keychain, a step towards using biometric systems for more secure access to services. In May, Google talked about the company’s efforts to promote secure password management and how it was working to remove customers from passwords.
Despite what was said above and the industry’s efforts to get developers and users aboard a password-free world, two major challenges lie ahead. First, although passwords are universally underestimated, they are also very popular and their non-existence seems an absurdity today. It is not easy to break taboos and behaviors developed over the decades.
“It’s normal behavior – the first thing you need to do is set a password,” says Andrew Shikiar, executive director of FIDO Alliance, an association that works specifically on secure authentication systems. “The problem is that we have relied on weak foundations. “What we need to do is break this addiction.”
A FIDO task force over the past year has studied the user experience in order to recommend the technology of password-free systems and how to introduce it to normal people along with the great benefits it brings. FIDO says that the organizations it has worked with to implement password-free authentication systems have found it very difficult to persuade people to adopt technology, and for this alliance has issued a guide that will help them in a clearer introduction of technology.
The second obstacle is even more problematic. The implementation of these systems without passwords can be done only on the latest devices and requires the possession of a smartphone together with another device. Practically many people around the world share devices with others and can not buy the latest models so often or even use simple phones.
While the implementation of password-free authentication systems is becoming a standard, the same cannot be said for account recovery systems. When security questions or a PIN code serve as backup recovery options, you are still technically using a password, simply in a different format. So password-free schemes are moving towards systems where one device serves as a guarantee of another.
And when someone finds your lost phone, it is still protected by a local connection to the device. It is not only necessary to solve the problem of passwords, but also to recover accounts.
It is simpler than keeping backup recovery codes written on a piece of paper, but it still raises the concern of using several devices at once for people who are not used to this form.
These are practical questions that still haunt the transition to a world without passwords. 1Password Password Management, which of course has a business interest in having passwords, says it would be happy if these systems were adopted. In iOS and macOS for example you can access 1Password via TouchID or FaceID instead of typing your master code.
However there is a big difference between the usual passwords you use on websites and a master password. Passwords stored in 1Password are synchronized between servers along with a copy of them. The master password locks the password repository and belongs only to you so much that even 1Password does not know.
It will take time and more experimentation to create a password-free ecosystem that can replace all of their functionality and that does not exclude the billions of people who do not have a smartphone or multiple devices. In a world without passwords it will be much harder to share the identification system with trusted people. / PCWorld Albanian
