How much do you hate passwords? In simpler times, they were a precise nuisance, but with more than fifteen billion hacked credentials now circulating on the obscure website, maintaining good password hygiene has become a scientific project.
Most specialists now advise creating passwords with a minimum of twelve random characters and never using the exact same one again on multiple sites. Since most humans remember anything that is out of the reach of most humans, there are a plurality of password managers free to assist you, most of which are protected by, you guessed it, access keys.
No one hates passwords more than site operators who need them. A recent survey of more than one with zero users conducted by passwordless startup Beyond Identity found that 2-thirds said the need to create new passwords prevented them from creating accounts, and 3-quarters said they abandoned their shopping carts. purchases due to inconvenience of resetting passwords.
What if we could get rid of the passwords completely? The good news is that there are countless money and brains that go into doing just that. The bad news is that passwords, like mice, never completely disappear.
Today's Keyless Solutions
There is relentless progress on the business front. Company-centric identity access management vendors such as Okta, Ping Identity, OneLogin, and Cisco offer keyless access to company-approved sites. You still need at least one access key to log into their services, but the moment it's approved, you'll be ready to go. The downside is that your checking account or Netflix is probably not on the company's list of approved services.
On the consumer side, the most widely used option is OAuth, an open protocol that allows users who log into trusted sites like Facebook, Google and Apple to log into other services without creating an account or password. OAuth is simple to use and considered secure enough anytime you log into an authentication server, but it's no piece of cake for site operators, said Zane Bond, product manager at Keeper Security, who creates a manager password. .
OAuth "is certainly cryptographically secure, but from a site owner's perspective, it's quite difficult to incorporate properly," he said. “You have to keep up with every single patch and release, and sometimes the tuning guides don't give you all the information you need. You may be using secure technology, but you have configured it incorrectly. This is one of the reasons you don't see OAuth being used very often on the millions of familiar retail sites out there.
The most essential newcomer to the campaign is Microsoft, which introduced a passwordless alternative for Microsoft accounts in September. However, the solution does not eliminate the need to log in, as it still requires the Microsoft Authenticator application or other methods. This also only works for Microsoft accounts, at least for now.
And this is the biggest drawback. Beyond OAuth, the market is a jumble of solutions. The lack of a single prescriptive standard means that people who spend a good time online must continue to rely on a plurality of password managers, authentication applications (I have 3 of them), biometric verifications and text codes to do things.
New players on the horizon
A host of start-ups are tackling the downside. Magic Labs employs public and private cryptographic key pairs created on the Ethereum blockchain (he doesn't want to know more). Secret Double Octopus, which wins the award for the best commercial name I have heard, uses technology that is supposed to safeguard nuclear launch codes, but its product is eminently aimed at companies.
Transmit Security recently raised € XNUMX million in funding for a technology that uses biometrics to authenticate users across multiple devices. Beyond Identity has raised over € XNUMX million for technology that leverages a tamper-proof environment called the Trusted Platform Module, built into each and every computer and smartphone. The module saves a private encryption key that is paired with its public counterpart on the sites that a person visits.
"As soon as you have an account, you have the option to pass without a password," said Jing Gu, senior product marketing manager at Beyond Identity. “You give us an email address, we send you an email and that creates the link. "
The challenge facing each and every one of these companies is getting site operators to adopt their solutions. And the more players there are on the market, the less likely it is for someone to achieve critical mass. "True passwordless security is going to be really hard to come by because of the sheer volume of sites," Bond said. “Finding a way for the standards to coexist instead of competing with each other is the way to achieve it. "
Meanwhile, take cover. Invest a few US dollars in a password manager, abide by the twelve character rule, and enable multi-factor authentication on each and every reserved account. It is painful, but if your identity has ever been compromised (as I did 3 years ago), you will understand that it is worth it.
So read this:
Copyright © two thousand twenty-one IDG Communications, Inc.