Why are passwords still used as an authentication method even though they are 'high security risk'?

When logging in to a web service from a PC or smartphone, it is common to enter an ID and password as a way to prove an individual. However, the conventional password method, which simply inputs a character string,

has a high security risk such as being leaked or analyzed by a brute force attack , and in recent years, a passwordless authentication method using biometric authentication or a physical security key. Has appeared. Still, the transition to passwordless is slow.

Why the password isn't dead quite yet | Ars Technica

There is no doubt that password entry is a major security concern. Creating and managing passwords can be very cumbersome, resulting in users reusing and making passwords easy to guess.

In fact, the most used password in 2020 is '123456', followed by '123456789', and it is often the case that passwords that are easily predicted by others or easily broken by brute force attacks are used. It is known.

What was the most used password in 2020? In addition to regulars, new faces have also appeared-GIGAZINE

Therefore, as security that is not easily compromised by others, biometric authentication is becoming widespread, in which authentication is performed with innate and hard-to-steal attributes, such as recognizing the shape of a face with a camera or reading a fingerprint with a sensor.

For example, as for how to unlock mobile phones, biometrics that scan faces and fingerprints are becoming commonplace due to technological advances. This biometric does not require access to the server to check the login, it is done inside the phone. You can also use a device-independent physical security token, such as a Titan security key or YubiKey, to log in without a password. It is said that these physical tokens will eventually be available on almost all PCs and smartphones.

Microsoft announced in June 2021 that Windows 11 recommends biometrics and passwordless sign-in with a PIN. In addition, Google is one of the leaders of the FIDO Alliance, which develops standards for multi-factor authentication, and is actively working to make online authentication passwordless. In addition, Apple has announced that iOS 15 and macOS Monterey will incorporate a 'passkey feature' into the iCloud keychain that allows account verification with Face ID and Touch ID without using a password.

Apple is developing a 'passkey' feature that allows you to log in to web services with just Face ID or Touch ID without a password-GIGAZINE

While the entire industry is striving to eliminate passwords, there are still two major challenges to eliminating passwords altogether.

One is that 'password authentication methods are used too much all over the world.' 'Every user always sets a password first. This is a learned behavior. We rely on the truly poor foundation of passwords,' said Andrew Sikier, executive director of the FIDO Alliance. That's the problem. We have to get rid of that dependency first. '

To promote passwordless authentication standards, the FIDO Alliance asks organizations that adopt passwordless standards to collect questionnaires, surveys the user experience every year, and publishes user experience guidelines based on it. did. 'If you create (a system or system), people will follow you,' commented Shikia.

The second issue is that the passwordless authentication standard only supports new devices. There are many people in the world using old smartphones and feature phones that do not support passwordless authentication using face recognition and fingerprint recognition, and the FIDO Alliance is developing standards. Nevertheless, the current situation is that the hardware cannot keep up.

Even with the widespread adoption of passwordless, the real problem of having to move away from passwords remains. The password management tool 1Password has introduced Touch ID and Face ID instead of the 1Password master password in the iOS and macOS versions, but the password itself is just a passwordless master password for managing passwords. Is not replaced with Face ID or Touch ID.

'I've always been concerned about password alternatives, for example, biometrics use user-specific physical characteristics, but steal fingerprints and facial data to attackers,' said Akshay Bargava, Chief Product Officer at 1Password. The question of what to do with spoofing comes up. You can change your password each time, but you can't change your face or fingerprints. '

Meanwhile, Mark Richer, senior director of identity and security platform products at Google, said, 'All the components that underpin passwordlessness can move from the early days of access to tech enthusiasts to the mainstream. It has reached maturity. It has strong platform support, works with all major providers, and is familiar to users. Until now, the industry didn't even know how to get rid of passwords. Now it takes time, but I know how to do it. '

in Security, Posted by log1i_yk