Time to forget passwords?
Major technology providers are now moving towards a password-free world, but is it time for you to forget them?
Steps towards a ‘password-less’ environment being taken by the likes of Google and Microsoft reflect the fact that the traditional way of protecting personal data is fundamentally unsafe.
A report from Risk Based Security revealed more than 3,800 publicly disclosed data breaches in the first six months of 2019 alone – compromising 4.1 billion records. And in 65 per cent of the violations, passwords were part of the leaked data.
When Google was beta-testing its Password Checkup extension for the Chrome browser, it found 316,000 compromised passwords in just one month.
This is worrying because a 2019 Verizon Data Breach Investigations Report says that compromised passwords were used in 80 per cent of all hacking-related breaches.
With the introduction of Windows Hello in November 2018, Windows 10 users were able to securely sign in to their Microsoft accounts on the web using facial recognition, without a password having to be entered. Hello is now fully FIDO2 certified by global authentications body the FIDO Alliance .
Approximately 5,000 businesses have deployed Windows Hello for Business , on more than one million commercial devices.
The technology giant has also developed a Microsoft Authenticator app which enables users to validate their Microsoft account using their mobile phone. It’s built on similar secure technology to Windows Hello.
Several Google services are also FIDO2 certified. Users can verify their identities with their fingerprint or a screen lock code instead of a password on devices that use Android 7 and later versions.
But the problem is, fingerprint technology and facial recognition aren’t yet foolproof. Another possible solution is finger vein scanning which reads the patterns of the veins inside the finger using ambient or infrared light. However, researchers at the Chaos Communication Congress in Berlin demonstrated a method of replicating a vein pattern on a wax hand which was good enough to fool some systems.
So a password-free world has not arrived yet. But when it does the solution needs to work across all industry platforms and browsers.
That’s why Microsoft and other providers are aligned with the FIDO Alliance, which represents 250 organisations from various industries. The Alliance’s members have a joint mission to replace passwords with easy-to-use strong credentials.
Gary Jowett, from Computer & Network Consultants (CNC) in Brighton, said: “While passwords remain necessary we all need to ensure they are strong, regularly changed and never shared. As technology providers move towards a world without passwords, all organisations will need to review the security policies they follow and assess whether to budget for more technology and applications to support the new arrangements. It’s worthwhile talking to an independent consultant to get an objective view about the appropriate security protocols to adopt and how to prepare your people for a new password-free environment.”