Vulnerability-exposed password authentication, ‘certification without password’ replaces it. [Liter=Lee Jae-Hyung, Technology Strategy Responsible (CTSO)]
The World Economic Forum (WEF) in 2020 pointed to cyberattacks as one of the most shocking global TOP 10 risks along with climate change. In fact, the world is troubled by the vulnerability of passwords. Through this article, we will look at what problems are there with existing passwords and how passwords will evolve in the future when digital transformation will be completed.
■ Password that has been reduced to the representative of weak certification
Digital transformation, from artificial intelligence, big data, self-driving, IoT, non-face-to-face technologies to food delivery, taxi calls, and exercise apps at the forefront of the fourth industrial revolution, is now becoming an essential requirement to secure competitiveness. In this digital world, on behalf of me, the physical being composed of atoms, the me of the bit cyberspace, and the authentication technology that certifies the service safely and conveniently are essential.
In the 1960s, when computers became popular, mankind began to store large amounts of information in computer files. And this digital transformation has led to the universal use of ‘passwords’ to control data. Since then, as Internet use has become more common, the use of passwords to distinguish access users has increased exponentially. As such, passwords have now become the most representative means of authentication, and about 300 billion passwords are known to exist around the world.
Passwords, which have become the most common authentication method, have long been reduced to easy prey for hackers as they are vulnerable to hacking of certain patterns, possible analogy, and indiscriminate college entrance methods. As if to represent this, Twitter recently suffered its worst-ever hacking attack. In the hacking incident, many famous people including former U.S. President Barack Obama, U.S. Democratic presidential candidate Joe Biden, and Tesla CEO Elon Musk were hacked and abused for financial fraud.
Twitter advised users to disable all hacked accounts and reset passwords. Experts recommend the use of secondary authentication security options such as hardware security keys that use fingerprints instead of text message code-type secondary authentication to prevent hacking damage.
The reason why the password authentication method is so weak is that the password is not a means of authentication designed for safe authentication from the beginning. Therefore, the initial password authentication now loses all of its utility and costs heavily with the most vulnerable authentication method. The news that millions and tens of millions of personal information have been leaked, especially in a massive hacking attack, has now become so familiar that it doesn’t seem special.
■ Problems with passwords from the user’s perspective
If you classify the password’s problems in a large way, you can identify them by dividing them into user’s and manager’s positions. First of all, from the user’s point of view, passwords have the following problems:
1. Too many passwords
Fun and convenient online services such as food delivery apps, video content services such as YouTube, proxy driving, taxi calls, simple payments, and exercise apps are being released every day. The launch of the new service means that users’ online accounts will continue to grow, along with passwords that must be managed.
According to a recent consumer survey released by FIDO Alliance, a global online authentication association, the average number of online accounts for users is about 90 and 52 percent of users use all authentication services with less than five passwords. Only 5% of users said they were using the only password for each site.
In particular, when asked how to manage passwords to less than five password users, 45 percent of users said they rely on memory, and 37 percent said they write and manage passwords on paper or Excel. In addition, 32 percent said they store and use Internet browsers, indicating that many Internet users are vulnerable to security awareness.
2. Increasingly complex passwords
To prevent hacking, increasingly complex passwords are also a problem. The initial online service started with a four-digit password. However, the six-digit, eight-digit, and now he is not enough, making it even more complicated, demanding a combination of upper- and lower-case letters, special symbols and numbers. According to a consumer survey by Pido Alliance, 76 percent of users reset their passwords because they could not remember them even once in the last six months, and 51 percent of those who reset their passwords within three months.
3. Passwords that require periodic changes
To make matters worse, the ‘Password Periodic Change Policy’, which began to emerge one by one to complement the weak security of passwords, has become one of the new problems in using passwords. When asked to set the already complicated password more complex, users combine all kinds of letters and numbers to make the most memorable. But it also has to be renewed every three months or every one month.
Ironically, due to the password security policy that frequently requires changes, people are creating and using more “simple passwords that can be remembered more easily.” In fact, from 2012 to the present, the most commonly used password in the world is ‘123456’, followed by ‘password’.
■ Problems with passwords from the perspective of managers
1. Huge costs for password management and protection
From small organizations to organizations that serve hundreds of millions of people, password management has become one of the most important tasks for the IT department. The management costs and complexity of the password authentication system, including periodic changes in passwords for security, changes in employees and customers, resetting passwords, and interworking among DB security, encryption settings, and authentication services to protect passwords, are also increasing day by day. After all, from the perspective of an organization, the energy to focus on huge costs and core competencies is being distributed into “management tasks.”
2. Impossible to control
Another problem is that we cannot control the use of passwords. The password system basically has a structure that shares secrets. Users and service providers match this secret and decide whether to authenticate.
Assume here that the information security officer of a particular service organization has introduced a complex password system for personal information protection, then taken steps to change, encrypt and secure the server periodically. However, when a user uses a password registered for another service in common, everything becomes useless if the personal service is hacked.
No matter how multi-layered security is established and all kinds of security solutions are introduced, information security personnel will be helpless. For security purposes, even if doors are blocked on multiple floors, all efforts go to waste if a hacker has an all-around key to open all the doors.
■ Passwordless authentication strategy for the future
Companies that serve various devices and applications, OS platforms and browser infrastructure such as Microsoft, Google, Apple, and Samsung have long been agonizing over various authentication means to replace passwords.
This is the result of passwordless authentication such as OTP, secondary authentication, and biometric authentication, and the strategy is to increase security by adding such passwordless authentication method to existing passwords.
Service providers such as Facebook, Amazon, and Bank of America, whose digital services have become a core business, are joining this trend to replace passwords, and are building platforms and solutions to enable them to provide various certifications with passwordless authentication.
In addition to these public services, network equipment such as CISCO, VDI teleworking environment providers such as CITRIX, and VPN companies are also trying to reduce password dependency by introducing stronger authentication methods that replace passwords such as OTP, Smartcard, and FIDO authentication for managers, practitioners, and users.
It is moving to replace passwords not only in information security areas but also in convergence security areas. Since the convergence security area is also suffering from many leakage accidents, consisting of a very simple password system based on S/W, such as IP cameras, web, app-based remote surveillance, and central control S/W, passwordless authentication is expected to continue to expand and replace many password authentication systems.
In order for Korean companies to be competitive in the global market in the future, cooperation between domestic information security companies and physical security companies, which have developed and prepared related technologies in preparation for the era of passwordless certification, is paramount. This convergence will create another opportunity by developing solutions that can provide greater security and convenience.