Let’s start with a pop culture reference. In the 2019 movie Spider-Man: Far From Home, Peter Parker (Tom Holland) is trying to locate his friends via Instagram. He asks Happy Hogan (Jon Favreau), head of security at Stark Industries, for his smartphone to access the app.
Peter Parker: What’s your password?
Happy Hogan: Password.
Parker: No, what is your password?
Hogan: Password. The word spelled out.
Parker: You’re head of security and your password is “password”?
Hogan: I don’t feel good about it either.
Unfortunately, Happy Hogan isn’t the only one setting weak passwords. The 2022 Weak Password Report by password management vendor Specops Software, which was compiled through proprietary surveys and data analysis of 800 million breached passwords globally, found that people turn to seasons (yes, summer, winter and autumn), musicians, sports teams, movies (Rocky was No.1 on the list, Spiderman was No.11) and TV shows when choosing and building passwords. So, just how vulnerable will passwords be in 2023?
Is the password-less future here?
The discussion about a shift from passwords has been on for a while. But industry experts believe the “death of the password” is still not in sight. In a recent article for Help Net Security, an independent website focused on information security, Jackson Shaw, chief strategy officer at Clear Skye, an identity access and management software company, said it is still early days for a password-less world. “We’ve talked about the death of the password for years, but this shift requires major infrastructure changes that many enterprises simply aren’t ready for and can’t afford,” Shaw writes. “With engineering, websites, and products that will need to be rewritten entirely, it’s not as easy a fix as some might assume.” Shaw says that while products like Apple Passkeys are easy to integrate and use, it’s unrealistic to believe that this year we will say goodbye to passwords for good.
Passkeys to the rescue
In 2022, we saw the emergence of passkeys. Companies such as Google, Apple and Microsoft updated their services and apps to enable passkeys. But what exactly are passkeys? Google describes them as a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username, password, or provide any additional authentication factor. This technology aims to replace legacy authentication mechanisms such as passwords, an overview article on the Google Identity website explains.
With passkeys, users can sign in to apps and websites with a biometric sensor (such as fingerprint or facial recognition), PIN, or pattern. This frees them from having to remember and manage passwords. On Android, Google Password Manager, an in-built system, stores, serves and syncs passkeys. Similarly, for Apple, Face ID or Touch ID can be used as a passkey. Synced with the iCloud Keychain, these are available across Apple devices; even iPhones can be used to sign in to apps, websites on non-Apple devices.
Password-less authentication is also catching on with password manager software. Recently, NordPass, a password manager platform, announced that it is set to introduce password-less authentication later this year. “We are currently working on enabling a password-less sign-in to NordPass. It will be a faster and simpler process than the one now, since it will require a single biometric confirmation,” Sorin Manole, product strategy manager, Nord Security, explains in a blog post.
There are a couple of more reasons why we could see an increase in the adoption of passkeys. One, they are standardised. One-time implementation will enable a password-less experience across different browsers and operating systems for every user. This also makes them more secure overall, and tough to hack.
Certainly, there’s growing awareness about passkeys. When Apple demonstrated passkeys at its WorldWide Developers Conference last June, the tone was set and pretty clear: Passwords are slowly heading out, passkeys are in.
Password management will become more crucial
Speaking of password manager apps, thousands of users scampered recently when LastPass, one of the most popular password manager services, revealed in December that hackers had stolen encrypted copies of customer passwords and other sensitive data such as phone numbers and IP addresses.
While such technical breaches are not the fault of an individual user, the element of human error continues to loom large. According to the 2022 Psychology Of Passwords report by LastPass, based on a survey of 3,750 professionals at organisations across different industries in the US, UK, Germany, Australia, Singapore and India, 65% of people said they had some cybersecurity education. Despite that, many (62%) were still reusing passwords. This recycling of passwords is a key reason for cyberattacks.
Writing in a November 2022 blog post, Matthew McWhirter, senior director, APAC, LastPass, noted that the vast majority of cyber breaches still occur due to weak, reused or stolen credentials.
It’s no surprise then that governments around the world are making a concerted push for better password management to help organisations, with a focus on password managers. The Australian Cyber Security Centre published advice on the use of password managers in April last year. Similar advisories were published by SingCERT, Singapore’s cybersecurity agency, CERT NZ and CertIndia last year.
2FA will become the norm
Whether logging into office email or a Twitter account, two-factor authentication, or 2FA, will be the way forward for many users. 2FA is a type of multi-factor authentication (MFA) that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. A user provides a password as the first “factor” and then a passcode, an OTP, or even a biometric factor, as the second step.
It’s an authentication factor which is becoming increasingly essential for many platforms. For instance, GitHub, the popular cloud-based Git repository hosting service, will require all users who contribute code on GitHub.com to enable one or more forms of 2FA by the end of 2023. This, to ensure all developers are protected from account theft on the platform.
As a user, you can rely on 2FA or authenticator apps. Microsoft, Google and DUO Mobile offer apps in this department. You can even go to platforms like 2fa.directory to see a list of websites that support 2FA.