Are passwords becoming outdated? asks Dominik Samociuk, pictured, Head of Security at the cyber, cloud and AI consultancy Future Processing.
Passwords have been long littered with cybersecurity issues – whether that be through interception, brute-force attacks, or their vulnerability to phishing attempts. They have become an afterthought for many users as we transition to more sophisticated methods of keeping online accounts secure. Password security largely remains unsophisticated, consisting of a username (usually an email) and a word or pin code to grant online account access.
On average, a password is reused 13 times in its lifetime, leading to increasing concern for businesses over employee account security as these details can be used up to 154 times a month – giving hackers ample opportunity for interception.
Passwords are the most common form of digital identification but are also the easiest to spoof, hack and corrupt with over 24 billion exposed in 2022. Often users choose passwords simply identifiable to them, and as a result can be guessed easily by hackers. Brute force attacks exploit the vulnerability of those without prior knowledge of how and why it is important to keep their accounts secure – often targeting the most vulnerable people in society. Given ‘Password’, ‘1234’ and ‘qwerty’ are still among the most commonly used pass-words and 12% of websites still lack password length requirements, removing the ability for the user to choose their identification key eliminates a host of cybersecurity vulnerabilities.
The foundation of this issue lies with adoption. Passwords have been around longer than the internet, and as a result have become deeply ingrained into our society, becoming the default method of identification. However, as more critical services, such as online banking, work-from-home platforms and government gateways become digitalised, the security of our online accounts has never been more important.
Multi-Factor Authentication (MFA) and biometrics
A user’s cybersecurity is only as strong as its weakest link, therefore MFA (used by 36 per cent of people) is used by many online sites to bolster account security. While dictionary passwords are still very common for online accounts additional authentication methods can be used alongside traditional password authentication. These often take the form of email, SMS or authentication apps where the account holder is required to type in a unique code to sign in be-fore gaining full account access.
Magic sign-in links are also increasing in popularity but require access to emails or SMS messages, therefore if one of these environments is hacked it can lead to some connected accounts also being compromised. However, MFA adds a layer of security for hackers and bad actors, making their attempts more difficult to breach.
A method commonly used within MFA authentication is user biometric data. While biometric identification has been around for years and can even be traced back to 500 BC (admittedly in a much more simplistic form), it rose to popularity when integrated into digital consumer devices.
Still, it is preferred by many, with 72 per cent of consumers preferring biometrics over passwords. Biometric authentication is often in the forms of facial recognition and fingerprint scanning – the two most commonly found on consumer devices – however, voice recognition, retinal scans and more can also be used to increase digital security and reduce unauthorised ac-cess and identity theft. Biometrics are designed to work alongside passwords typically as a more convenient way for users to log into internet accounts. In addition, they can be used in isolation, and as consumer devices become more advanced the replacement of passwords with this alternative becomes imminent.
Biometric identification is a more secure alternative to traditional passwords. The most common form of biometric identification, fingerprint recognition, is incredibly secure with no two fingerprints ever found to be identical – accounts that rely on this technology become almost infallible and incredibly difficult to access (close to a one in 64 billion chance). These methods also remove the margin of guesswork that passwords find themselves vulnerable to.
Furthermore, modern facial recognition systems use more than simple image recognition, Apple’s Face ID system uses infrared cameras to project thousands of invisible dots onto the user’s face to create depth maps unique to the individual, offering significantly higher levels of sophistication than traditional passwords.
However, as we move toward a biometric-heavy future, there are still some key roadblocks. In most consumer devices, biometric authentication is used in conjunction with passwords or pins, therefore the superior security of biometric systems is rendered useless and becomes just as vulnerable without them. Furthermore, there is still a level of scepticism among consumers about how and where this biometric data is stored, therefore it is likely it will take a long period before consumers ever unanimously get behind the developing technology.
A new future with Passkeys
Described as almost hacker-proof, following their introduction, passkeys have risen as viable alternatives to traditional passwords. Used by 79 per cent of consumers on the password manager platform 1Password, a digital passkey follows a sequence whereby a digital credential is created and linked to an individual user on a particular website. This credential is used and shared with the website or application when a user unlocks their device. Passkeys provide enhanced security to users as the opportunities to intercept are far lower, and as the user isn’t aware of their credentials, the ability for hackers to use human vulnerabilities is removed.
There are however several issues with passkeys, passkeys require sophisticated devices and software and as a result, many websites or consumer applications might not have the ability to harness or host this identification method. Furthermore, as passkeys use consumer devices as authentication, users lose access to their accounts if these devices are stolen – when sensitive and critical services such as online banking might use this technology, significant issues arise. Passkeys are slower than other forms of identification, taking up to 30 seconds for websites to verify credentials.
Passkeys signal a shift away from traditional passwords as they are easier to use, and un-forgettable for the end-user, however as traditional passwords are what feels familiar to the consumer, forced adoption might be the only way forward for increased use of the technology. Passkeys are a glimpse into the future, major players, such as Google are already transitioning users to passkeys by default, but adoption rates among consumers are still low.
A long road ahead
While passwords are being phased out, with many online accounts now requiring an alternative or additional authentication method, the question remains whether society can truly move away from them given how ingrained they have always been in digital society. There are additionally still some issues posed to disrupt the process of their obsolescence.
Despite being faster, and more secure, using biometrics or passkeys as a replacement for passwords requires more sophisticated consumer devices and lengthier transitional periods that many consumers aren’t willing to make, and as such, adoption rates plateau. While authentication might be transitioning, passwords will remain a central part of our online security despite new methods or mandates.
