Bye password

 

Image from Pixabay

Tuna Day, Star Wars Day, Nude Gardening Day – just a few of the countless 'days-of' you could be celebrating these days. Some days may appeal to you more than others, but the day I want to talk to you about is World Password Day. That day was created in 2013 by tech company Intel “to raise awareness about the role strong passwords play in securing all of our digital lives”

So the password has its own celebration, but it is also maligned. You have too many of them, they have to meet all kinds of complicated requirements, you forget them, they want to be refreshed regularly and they are far too important for the security of all those accounts. Isn't it time for the password to give up that important role that Intel assigned it almost a decade ago? In favor of something easier and safer?

Look around you. It's already there. How do you unlock your phone? You can do it very easily with your fingerprint or with your face. Your fingerprint is more secure than a PIN, because no one can copy it. And yes, I am aware of those James Bond scenarios where fingerprints are taken from a beer glass with tape and then imitated in latex, but mere mortals really don't have to worry about that. Officials, for whom these kinds of high-tech attacks can pose a threat, are aware of this all too well – I hope. Consumer-grade facial recognition, as used in mobile phones, is often still too easy to get around with a photo, so I don't recommend using it for business/important applications.

Microsoft has been promoting 'passwordless authentication' for some time: the system can determine that it is really you without the need for a password. For a year now, business users have been able to log into Outlook and OneDrive without a password. Instead, they use the Authenticator app, Windows Hello, a physical security key or a verification code that you receive on your phone or by email.

An authenticator app (not only from Microsoft, but also from Google and RSA, for example) generates a numerical code for every account that you protect with it, which is usually valid for one minute. You must enter this code when logging in. Currently, we mostly use this mechanism in the context of multi-factor authentication (password + something extra), but Microsoft wants us to get rid of the password entirely with this.

Windows Hello, for example, works with an infrared camera that, among other things, looks at the thermal image of your face, the distance between your eyes and the depth of your eye sockets and the position of your mouth and nose. Without taking pictures. You can also use a PIN instead of this. Huh? Isn't a PIN more insecure than a password, because you only use ten different characters? For starters, the Hello PIN does not have to consist of only numbers, but more importantly: the PIN is linked to a specific device, for example your laptop. Moreover, the PIN is not something like a surrogate password, but a code to unlock your own secret key. Using that key, a cryptographically secured login request is sent to a server. Your PIN itself will not be sent. And there is no server where your PIN is stored. This is different with passwords: at an online store they know your password because they have to be able to check it. That's why the world is always in turmoil when a large company's password file is stolen.

Windows Hello is just one example of a passwordless future, chosen here because I think there's a good chance this will be - or already is - your first experience with it on a computer. In order to be comfortable using such technology, it is important that you have some understanding of how it works. A few years ago, when I unpacked my new computer and Windows 10 wanted me to make up a PIN instead of a password, I too thought that was weird. But with some explanation, the puzzle pieces fall into place.

Many properties of passwords have become obsolete, such as complexity requirements and the requirement to change them regularly. We can modernize those features, but we can also take a big step right away and do away with passwords altogether. Intel, which came up with this theme day, is also participating in the FIDO Alliance, a worldwide group in which technology companies work together on a strong way to authenticate users without passwords, because they believe in its security. We are moving towards easier, safer times. But in the meantime: use a password manager, which makes up and stores passwords for you, and which logs in automatically for you. That is always safer than messing around yourself. Because that's just what we humans usually do when it comes to passwords.

 

And in the big bad world…

… a lot has undoubtedly been going on again, but this week I didn't have time to select that information and present it here.