Nobody likes using passwords. Users find them inconvenient and difficult to remember and companies are increasingly finding them inadequate for their security needs. Despite this, the username-password combination has remained the go-to authentication method for decades.
The ability of passwords to keep cybercriminals at bay is poor at best. A Verizon Data Breach Investigations Report revealed that 81% of major data breaches are traced back to a single compromised identity.
The resulting cost is tremendous. A Frost and Sullivan study last year, showed that the economic loss in Asia Pacific due to cybersecurity incidents can hit a staggering US$1.745 trillion, more than 7% of the region’s total GDP!
The root of the problem lies in the fact that older authentication systems are based on a shared secrets model, where the user’s credentials are known by both sides of the transaction. Typically, users are required to have complex, unique passwords for each account that feature a mix of numbers and letters. However, an average user today has over 90 online accounts, and this makes it impractical to continue using this model.
In the meantime, as online services build their consumer base, user credentials (both usernames and passwords) are typically stored in a central data server or location. A single successful breach can allow cybercriminals to gain access to millions of username-password pairs, which are then resold on the Dark Web. This leads to credential stuffing, which has quietly become a major plague to businesses worldwide – with upwards of 80% of attempted e-commerce site log-ins being stuffing attempts.
As many consumers reuse passwords, the stuffing success rate ranges around 2%, which is costing businesses dearly (US$5 billion in the United States alone in 2017 according to Shape Security).
Hence, the cycle of data breaches continues.
The shared secret problem is not new, and the industry has posited several approaches over the years to resolve the issue. The most prevalent is the use of one-time passwords (or OTPs) to provide a second factor of authentication (2FA).
Closer to home, Singapore has mandated the use of OTPs for all sensitive e-government transactions since July 2016, and most of essential government e-services now require 2FA. Additionally, banks here are legally obliged to implement 2FA at login.
This second layer of authentication, with a one-time password delivered in conjunction with dedicated OTP devices, mobile apps or via SMS, has certainly strengthened security, but at the cost of simplicity and user experience – which is awkward at best, forcing users to juggle devices and/or toggle between apps. And OTPs are still shared secrets (albeit with shorter longevity) that are susceptible to replay attacks via spear-phishing and other means - which leads to account takeovers.
Clearly passwords are a failed methodology, and OTPs present significant usability challenges while not adequately mitigating security risks. Just as we do not use Windows 95 or dial-up modems anymore, it is time for us to upgrade our authentication processes.
But is an Internet without passwords really possible?
Enter the FIDO Alliance
Established in 2013, FIDO (Fast Identity Online) Alliance is a non-profit group comprised of technology industry partners working together to establish standards for strong authentication. FIDO is the industry’s answer to the world’s password problem, with leading companies spanning borders and industries collectively focused on creating open standards and an ecosystem of supporting products and programmes that enable simpler and stronger user authentication.
Core to the FIDO approach is the introduction of the concept of the FIDO Authenticator, which is a secure part of a device where user authentication credentials are stored as private keys - unique to each service or log-in. These keys are established at point of account registration, at which point the service provider stores a corresponding public key on their server.
When the user returns to the site or app, she first verifies herself through a simple gesture such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button. A challenge/response dialogue takes place behind the scenes that matches the private and public keys that also includes critical metadata about both the authenticator and the website or app that is entirely unique -- thereby eliminating the threat of phishing or account takeover.
Keeping the private key resident to the device brings added privacy benefits as the consumer is always in possession of his authentication data. This localised authentication is well aligned with regulations in Europe such as revised Payment Services Directive and General Data Protection Regulation. It also addresses common users’ fears associated with misuse of their biometric credentials -- which are well founded as the theft of biometrics from centralised repositories could cause irreparable harm as it impossible to revoke one’s fingerprint or iris scan.
FIDO’s approach also does away with the requirement to store credentials in a centralised repository -- which both changes the threat landscape for would-be hackers and begins to de-risk the authentication process for the service provider by limiting their downstream exposure in the event of a data breach.
By utilising public key cryptography techniques, smart devices can be used to provide stronger authentication without burdening users.
Passwords still prevail today for restricting access to and protecting data and information. This outdated approach creates risk for consumers and businesses alike, and in doing so threatens the integrity of the connected economy.
Fortunately, leading companies from all corners of the world have rallied together in industry bodies such as the FIDO Alliance to create industry-wide solutions that will modernise the user authentication process.
FIDO’s approach to authentication allows organisations to better protect data and information while, at the same time, enhance user experience and reducing friction.
A world without passwords is finally in the making.