PASSWORDS have few admirers as an identity and access management technology, but viable alternatives are few and far between—or at least they have been until relatively recently. Biometrics and other technologies such as FIDO (Fast Identity Online), which uses public key cryptography for authentication, are on the verge of putting passwords and their many flaws to rest once and for all.
In May of this year, Apple, Google, and Microsoft announced a joint effort to expand support for FIDO, which was created by the FIDO Alliance and enables “websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.”
Jason Oeltjen, vice president of product management at authentication solutions vendor Ping Identity, called the announcement “a massive step toward a passwordless future” as it allows you to create a new account without ever needing a password and frees you from having to re-register every single FIDO account when someone loses a device.
A passwordless future will make life easier and more secure. Passwords cause a lot of frustration, so people base credentials on easy-to-guess words such as names of pets and relatives or keep passwords too long.
“People are what make passwords weak,” says Kevin Higgins, senior consultant at cybersecurity company Optiv. “We are conditioned to choose passwords that are easy to type or remember, or to use certain patterns to create passwords.”
Having conducted hundreds of password audits, Optiv has identified various problematic practices that weaken passwords, Higgins says. Reusing them for multiple applications is a common one. “There are many cases of leaked credentials where you can tie a user’s organizational account to a personal account due to password reuse,” he says.
Another problematic practice involves password construction. People often repeat patterns such as “capitalizing the first character of your password and either ending with an exclamation mark or the numbers 1 or 9,” Higgins says.
Taking shortcuts when creating passwords weakens them, potentially giving hackers access to accounts containing sensitive data. “A weak password is very easy to steal, especially if it is stored in an email, an Excel file, or even in software code,” says Craig Lurey, co-founder and CTO of Keeper Security, a cybersecurity software provider.
Password theft happens all the time. Verizon, which publishes the yearly Data Breach Investigations Report, estimates that 61% of breaches result from stolen credentials. One relatively simple way to reduce that statistic is to require a second form of authentication—usually a one-time code sent to users by email, text, or a security device.