The password is dead, long live Web Authentication

Stealing the password to a villain’s secret lair and infiltrating it to spring an elaborate trap might seem like an action movie cliché. In reality, it’s often villains who use passwords to infiltrate the accounts of individuals and organisations, setting a trap to steal private and financial information of innocent citizens. Currently identity crime costs Australia $1.6 billion each year and the only thing stopping hackers from emptying an individual’s bank account is the combination of an upper and lower-case letter, a number and a symbol.

Any cybersecurity professional knows that the password is not the most desirable form of verification because it can easily be guessed, accidentally handed over or revealed in cyber-attacks. With all the known risks associated with passwords, the security of Australians’ internet identity currently depends on passwords.  

Shining the spotlight on web authentication API

Enter the new Web Authentication API, a new proposal to the World Wide Web Consortium (W3C) that is set to kill the password and replace it with a safer form of authentication using public key cryptography. Gone will be the days of remembering a different password to each web service individuals use. Instead, passwords will be replaced with a system of identity challenges that keep verification information secure on an individual’s device like a phone or laptop, rather than an organisation’s server.

The big three web browsers, Chrome, Firefox and Edge are all looking at implementing the Web Authentication API (WebAuthn) technology to allow organisations to verify an individual’s identity by using their device.

Rather than asking a user to type in a code that is stored within an organisation, WebAuthn asks for verification by challenging the prospective attendee to confirm their possession of a key. When the user completes this challenge either by swiping, entering a PIN on the device, or using biometric technology, the device informs the organisation of the successful challenge and they are let inside.

This new form of online verification solves two problems. Firstly, organisations are not required to store personal information like passwords and therefore, they become less enticing to cybercriminals who may be looking to mine an organisation’s database for passwords which users are probably using elsewhere. Secondly, users are no longer required to manage multiple passwords because their verification is linked to a device they physically have on them, such as a mobile phone. It is a lot harder for a threat actor in Russia to steal a physical device in Australia than it is to steal a combination of letters and numbers on an internet server based somewhere between the two. 

While it may be some time before this technology is a main player in access management, there is one tool Australians can use today that will better protect their online identity: two-factor identification.

Don’t just rely on the password

Many organisations have tools in place to enable users to activate two-factor identification on their accounts. All social media platforms like Facebook, Twitter and Instagram have built-in options to send users an SMS code that asks for the code to be input when signing in from a new device. It is not fool-proof, but it makes it harder for threat actors to gain unsolicited access to personal accounts and will limit the potential of identity fraud or email fraud.

Organisations should employ two-factor authentication to verify employees, requiring a second factor to ensure no one is accessing private organisational information without permission. Meanwhile, organisations that are consumer facing should follow the lead of some of the tech giants and provide two-factor authentication capability for consumers. Google has recently announced a USB and Bluetooth-enabled device that acts as a second form of identification for Google Suite accounts. These methods with additional devices may not always be ideal (i.e.: in the case you’ve left your token at home) but they do increase the security of the identity. Another approach is to utilise a mobile app that provides one-time passcodes and push authentication capability. These are easy to deploy, and do help to make an individual’s online identity secure.

Stay up on security

Threat-actors have become more cunning and the password is no longer as effective of a form of secure online verification as it once was. The future may lie in using device hardware as cryptographic keys. However, passwords are all some people have at this time. So, at a minimum, passwords with two-factor authentication are a must for anyone serious about protecting their identity online.

Serkan Cetin is regional manager, technology & strategy, at One Identity APJ.