Are passwords a thing of the past?
In 2015, the most frequently-used password was (and still is) “123456”. For reasons of security, and because users cannot always remember a strong, unique password for each account, businesses are taking the bull by the horns and testing new ways of authentication. This article will take you on a quick tour of intrusion-prevention methods.
On the decline, but certainly the most-used, this method of authentication greatly simplifies the user experience and consists of a password combined with a user name.
Level of security: The method is relatively fallible, since it is not complicated to steal a user’s password, using a phishing operation or even by brute force.
Services using the method: All.
Introduced many years ago, Two-Factor Authentication (or “2FA”) adds an additional level after a log-in by username/password. After the first stage, the user receives an e-mail or SMS containing a single-use code which he has to enter in order to access his account.
Along similar lines, Apple proposes a biometric (finger print) confirmation of a log-in or a purchase.
Level of security: Simply adding a validation stage considerably improves the security of an account. In the majority of cases, the service does not fully reveal the telephone number or e-mail address on which the code is received, thus preventing hacking attacks.
Although the security level is quite high, it is nevertheless not infallible: PayPal paid the price for this in 2014 when researchers warned it of a weakness in the API corresponding to its 2FA, which provided a way round the request for a confirmation code.
Apart from this, mobile malware could simply redirect the SMS containing the confirmation code to a different number.
Services using 2FA: Gmail, Yahoo, Outlook, Facebook, Twitter, Amazon, Valve, PayPal, Apple, and certain banks.
Authentication without password
Yahoo and Google are currently working on new modes of authentication which do not require a password, although in both cases the user will still be able to log in using the traditional method.
Yahoo is proposing the sending of a 4-character code by SMS, whereas Google plans to approve a log-in via a mobile application. In the vent of an attempted illicit connection, Google may also ask for a password, in order to confirm the user’s identity.
Level of security: Both these two methods seem quite robust, although the Yahoo proposal regresses authentication to a single factor, which happens to be physical (the telephone). Better not loose it…
Services using it: Yahoo, Google (on beta test)
The major services on the Web regularly propose new ideas for making authentication both simpler and more secure. This is no simple task, however, and although methods are evolving, cybercriminals will clearly be able to adapt accordingly. While we await the results of all these tests, the future of the password seems assured.