Kill the password

Passwords compromise security

Photo by Bermix Studio on Unsplash

I forget my passwords all the time. So do you. The average person spends more than 12 minutes/week entering or resetting passwords, and juggles 70 logins to keep their virtual life going. It’s tiresome to keep proving to these portals that you are you.

Authentication in the physical world relies on government issued ID cards. In the virtual world, passwords are still the norm. Between these worlds, a new reality is starting to emerge: the meta-verse. In this new cyber-physical reality, we should ditch the password altogether.

Passwords make your organization less safe

Passwords account for 81% of all hacking related security breaches. The core problem with a password is that anyone who has it can act as if they were you. It just needs to be stolen.

Passwords only need to be stolen

Here are the most popular vulnerabilities passwords create, from simple to sinister:

1. Shoulder Surfing: Easiest of the lot — someone looks over your shoulder as you punch in your password. And then they quickly race to another machine to do the same.
2. Spraying: Like spraying bullets, a hackers attempts breach by trying the most commonly used passwords. Famous example attack: the Citrix Breach.
3. Social Engineering: Most folks use passwords that revolve around their children, pets, important dates, family or their license plate. If the hacker knows the target in real life, this can lead to more ‘informed’ spraying.
4. Key-logger: Inject an invisible program that monitors every keystroke and reports this to the hacker. The hacker needs to find a way to get their target to install this code, commonly as an email attachment.
5. Phishing: Hacker sends an email to the target posing as a friend, colleague or supervisor. Target clicks to open immediately. Hacker then redirects target to a site that the hacker controls (which looks like a legit site). Target happily gives up account credentials. Phishing continues to the most potent way to crack open passwords. People, not code, are often the weakest link in the security chain.
6. 2FA, MFA, and APT: With smartphone becoming more ubiquitous, most enterprises are switching to two- or multi-factor authentications (2FA/MFA). This switch has already overcome many hurdles to plain login/passwords. However, recent breaches like SolarWinds hints that many advanced persistent threat (APT) groups often backed by sovereign governments try to exploit loopholes (see Fireeye’s remediation strategies after-the-fact).
7. Web 3.0 approaches generate unique passcodes for each authenticated user. Often using OpenSSL and SHA in the backdrop, a unique hash based on user input results in a complex, hard to forge password which acts as a “private” key. Advantages to this are two fold: (i) the user did not generate the password, making it inherently more secure, and (ii) account information is pushed to the edges and not stored in a central location, removing vulnerabilities. Although these approaches still require a password, most implementations allow you to simply scan a QR-codes instead to avoid punching in long passcodes.

World without Passwords?

Password are clumsy, ugly and inefficient. The future is password-less. A world without passwords will create barrier-less interactions, cleaner UI/UX, and reduced IT storage/intervention. Passwords continue to be the most dominant vulnerability and burden for organizations of all sizes.

Enter Metaverse

We currently live in two separate worlds: the physical and the virtual. Within the next decade, we will increasingly live in a third new world which is somewhere between the physical and virtual. This world is the meta-verse.

Physical world is the world without computing. You take a walk in the park, enjoy a sunset by the beach, and meet people in real life. In this world, authentication is based solely on government issued IDs.

Virtual world is when you are logged on to the Internet. You are constantly racing from one site to another. And with it, you are constantly having to proving to these sites that you are you.

Meta-verse is an emerging world which exists between the physical and virtual, sometimes using spatial 3-D lands. It is created by the convergence of virtually enhanced physical reality and physically persistent virtual space, including the sum of all virtual worlds, augmented reality, and the Internet. As a “concept” it has been around since 1992. But with the advancement of AR/VR, Internet penetration and proliferation of devices, the promise will soon be realized.

Authentication of the future will be password less, automatic, continuous, and use multi-factor biometrics (face, voice, fingerprints, gait, and so much more). With the rise of meta-verses, we will soon find a way to authenticate ourselves in the virtual world using a continuous feed of real-time biometric vectors from the physical world.

And with that, we will say goodbye to passwords. At SecureMeeting, we are already hard at work.

SecureMeeting

SecureMeeting is on a mission is to advance human rights and freedom of speech. We do this by designing, developing and deploying planetary-scale, privacy-preserving communications architectures for all of mankind.

We are a US 501(c)(3) non-profit.

Send us a note, we’d love to hear from you: hello@securemeeting.org