A unique password has long been the primary way we secure and access our accounts on the Internet. However, passwords present several security issues, and ultimately, they may not be as effective as we think they are. For example, most people create passwords that they can easily remember using their favorite pet’s name, their birthday, etc.
Furthermore, most people reuse their passwords on multiple websites and accounts. Yes, this is a bad habit, but it is understandable. We have so many online accounts and passwords that creating a unique string of random letters and numbers for each one is a daunting task for most people. However, if one website is hacked and your account information is compromised, every account that uses that same password elsewhere is also effectively compromised.
The easy solution is to use a password manager. However, password managers are attractive targets for cyber attackers. For one, if an attacker can gain access to the master password, they will have access to every account that uses it.
Furthermore, password managers represent a single point of failure, and they don’t make it easy to sign in on multiple devices. In addition, not every password manager is created equal. If you are not using a manager with adequate encryption standards, you might as well not use a password manager at all.
What good options are left to people that want a convenient and secure way to protect their accounts from bad actors online? Some of the largest, most successful tech companies globally think they have the answer.
Phone It In?
Three of the largest tech companies globally, Microsoft, Google, and Apple, want to move towards a passwordless future. On World Password Day 2022, which was May 5th, these tech companies announced that they would support passwordless sign-in on their respective mobile and desktop operating systems and browsers using a user’s nearby smartphone.
Before we explore how this will work, it is crucial that these three tech companies announced their plans on the same day. Some people like to buy all of their devices from the same company. However, many people have Android phones and Windows tablets or any combination of different devices. Furthermore, Google Chrome is now the most popular web browser, even on Windows and iOS devices. Therefore, Apple, Google, and Windows must support cross-device/browser passwordless sign-in if this approach has any chance of being adopted by the public.
How It Works
The passwordless sign-in using a smartphone would work as a USB security key. Your phone must be verified with Bluetooth short-range wireless to successfully unlock an account. However, with USB security keys, you still need to type in a password on your device before the security key unlocks the device. Simply unlocking a connected smartphone near the computer or tablet being used will suffice as a password for login.
When creating an account, you would still create a username. Still, instead of creating a password, you would associate the account with your smartphone, which would take the place of the traditional string of characters typically used.
The primary benefit of a passwordless approach to authentication is phishing resistance. Your phone will ignore authentication requests from fake pages that could fool the human eye. USB keys also disregard look-alike web pages that are capable of fooling users. In addition, users won’t ever have to remember another password or use a password manager that might not be effective.
Suppose a hacker gains access to an account’s original password or steals a computer that has a login saved. In that case, they won’t be able to access your account unless they also have your phone and can bypass your biometric security login.
However, some issues are associated with using a smartphone for passwordless access. The first major issue is that phones can be lost or stolen. While attackers might struggle to bypass your device’s security measures, you might be locked out of your accounts without your phone unless you have enabled a secondary form of authentication. In addition, if your phone runs out of battery or is damaged, you could be locked out of your accounts until you charge or replace your phone.
There are inconveniences associated with passwordless sign-in, but in the mobile-first world we live in, there are major inconveniences to losing or damaging your smartphone in any case. Therefore, users interested in passwordless sign-in should make sure they enable a secondary form of authentication.
The traditional password is not going anywhere today, but the future of cyber security is moving away from passwords. Currently, security experts still recommend USB keys for extremely sensitive information. However, by announcing plans for a passwordless future, Google, Apple, and Microsoft are envisioning a digital future that is more secure and convenient. It is up to these tech giants to deliver on their shared vision.