People have an ancient-long history of using passwords. Let's recap the development of passwords and authentication technologies (2FA, MFA, OTP, U2F, FIDO2). Plus, you can find our manual on how to become passwordless in 2020.
The Rise (and Fall?) of Passwords
People have an ancient-long history of using passwords. From the battle between the tribes of Gilead and Ephraim described in the 12th chapter of the biblical Book of Judges, they were used to authenticate allies and detect enemies. The military later evolved the process by using a password and a counterpassword that functioned as a challenge-response model.
Apart from restricting physical access, passwords were used to keep a communication or some information a secret. No wonder that passwords became an essential part of computers in the early days of computer development. The first password login in a computer system was implemented in 1961.
However, the first computer password hack happened only a year after they were introduced. In 1962 due to a software bug, a list of users and their passwords greeted everyone who logged into the system. Oops.
Despite continuing hacks and leaks, passwords are now everywhere – PC, phones, websites, apps, games, banking, etc. And people have been relentless in finding a way to make authentication more secure.
Nowadays, there is a plethora of authentication methods. Let's recount the most common approaches:
- Single Factor Authentication is the simplest and most common form of authentication. To access a service or system, you need to provide only one authentication method, such as a password, PIN, PIV card, etc. This type of simplicity doesn't guarantee a proper security level because, in most cases, fraudsters can easily guess or stole the credentials.
- 2nd Factor Authentication is a general recommendation for account protection. The research found that 2FA can prevent 80% of data breaches. It adds another layer of verification requiring a PIN, One Time Password, hardware token, etc. on top of the password. The downside – 2FA requires an extra step, which means extra time and cognitive effort.
- Multi-Factor Authentication is the most sophisticated method that requires two or more independent factors to be provided by a user. Usually, MFA leverages two or three elements from the list:
- Something you know – a password, PIN, security question;
- Something you have – a hardware token like Hideez Key, mobile phone, smart card;
- Something you are – fingerprint, FaceID, iris scan;
- Something you do – typing speed, locational information, etc.
On top of the number of factors, there are multiple authentications technologies and protocols on the market.
The easiest way to handle personal credentials is to record them. Since journals are not that secure, password vaults were introduced. There are multiple products available – for free or on subscription with encrypted storage on a cloud or local device. Password managers and vaults are great for remembering passwords, but they neither simplify nor secure the authentication process.
To get rid of multiple passwords, developers invented Single Sign-On (SSO). Now it is one of the most common enterprise solutions that allows using one set of credentials to access multiple services and applications. Employees save time on entering passwords, and an IT admin gets more control over access to enterprise services and fewer password-related requests. SSO can lower the risk of a successful cyberattack by reducing the number of credentials at risk.
Since the use of single-factor authentication is generally frowned upon in security circles, One Time Passwords (OTP) became a standard 2FA for services containing sensitive information, like online banking, medical portals, etc. Usually, OTP is a string of numbers that is valid for one session or transaction. Since OTP dynamically changes the exact sequence, this authentication method is not vulnerable to replay attacks. There are several methods of OTP generation:
- Time-synchronization between the authentication server and the client providing the password, meaning OTPs are valid only for a short period of time.
- A mathematical algorithm that generates a new password based on the previous one, forming a chain.
- A mathematical algorithm that forms a new password based on a challenge (for example, a random number chosen by the authentication server or transaction details).
To strengthen and simplify 2FA, developers created a U2F (Universal Second Factor) protocol. It connects a Bluetooth, USB or NFC device with an online service and performs a challenge-response authentication using public-key cryptography methods and a unique device key. On the user-side, it is as simple as pressing a button on the device or tapping over NFC. Since U2F requires a physical device for authentication, it is attack-resistant and protects even simplified passwords.
A New Approach
All these methods sound great, and they do provide better security for your data. But on the road to security, we are constantly compromising usability. So here is a thought: "Can we protect our data without any passwords?".
A group of enthusiasts said "Yes," and developed the FIDO2 framework.
It replaces passwords altogether with a new type of credentials that cannot be stolen.
FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol (CTAP). Together they create a process in which a user-controlled cryptographic authenticator connects with a WebAuthn Relying Party (a FIDO2 server) via a web user agent (a browser).
During registration, a pair of private and public keys is generated. The private key is stored on the device, while the FIDO2 server registers the public key in a database. During authentication, the public key is entered for the web service and is verified with the private key unlocked by a user's action.
There is much going on in the background, but a user should only press the button, scan a fingerprint, or perform another authentication action. The only downside of the FIDO2 framework is that it is not widely supported yet.
Back To Reality
The true passwordless approach is unachievable in the real world because we have too many systems, platforms, and services. There is no silver bullet that could meet all the requirements, be secure and simple. It's like the good-fast-cheap paradox. What we can do is to take a basic idea of complicated background work that is initiated by a simple action.
It is similar to the way cellular networks operate. Once a phone is turned on, it starts searching for a signal from base transceiver stations. To establish a connection, your phone sends its unique identifier to the station. They keep their contact by a periodical exchange of packages according to an analog (AMPS, NAMPS, NMT-450) or digital (DAMPS, CDMA, GSM, UMTS) protocols.
An average phone owner doesn't have a clue how it works. He/she just turned on the phone.
The Game Changer
What if I tell you that such a seamless experience already exists? Yes, you got that right. You can enjoy 'passwordless' experience for your websites, apps, and even protected files with one simple solution. Hideez.
Hideez Enterprise Solution and Hideez Key for Individuals manage all the authentication-related tasks in the background, while you don't need to even think about passwords.
- Step 1. Hideez works as a password vault remembering all of your passwords (around 2,000 of them!) and keeping them secure with several encryption layers.
- Step 2. Hideez enters your credentials in seconds. There are several modes you can use: a) press the button on Hideez Key, and b) use custom hotkeys. Voila!
Bonus: You don't need to worry about phishing attacks ever again. Hideez will not expose your credentials to a fake website or app.
- Step 3. You can use the Hideez solution to lock and unlock your PC. Again, several options are available: a) proximity – approach your PC or walk away; b) touch – tap our Bluetooth dongle to unlock and press the button to lock your PC; c) RFID – unlock your PC using an RFID reader.
- Step 4. Hideez Enterprise Solution allows admins to update employees' passwords on the server, so the end-users won't even know something has changed, and a company IT department won't deal with multiple requests to reset newly created passwords.
- Step 5. Following best cybersecurity practices and NIST recommendations, Hideez provides 2FA with a built-in OTP generator.
That was our short manual on how you can achieve a smooth passwordless experience in 2020.
One Key. One button. Multiple customizations. All of your credentials are safe and sound, and authentication works in the background.
If you cannot wait to test Hideez for yourself, fill out the form below. Add a code "Passwordless" to get a special offer as a thank you for finishing this long read :)