EDITOR ’ S QUESTION
WILL A PASSWORDLESS FUTURE HELP US ENSURE EFFECTIVE CYBERSECURITY ?
In our last issue , we asked industry experts if a passwordless future will help us ensure effective cybersecurity ? We had so many responses that we are looking at the issue again . To kick off this second installment , here ’ s the response from Joon Hyuk Lee , APAC Market Development Director , FIDO Alliance .
Passwords are vulnerable and a shift away from them is a must for robust cybersecurity . According to the World Economic Forum , the average consumer keeps track of more than 191 pairs of usernames and passwords . The challenge is that passwords are hard to remember and keeping track of hundreds of passwords make it almost impossible . This is why most people tend to reuse the same passwords , or they make minor variations of a few passwords . Currently , about 80 % of data breaches occur due to poorly managed , easily guessed or stolen passwords .
In the IoT space , there is a greater need for passwordless authentication . IDC estimates that there will be 41.6 billion connected IoT devices globally by 2025 , opening up opportunities for increased efficiencies . Yet , lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices , and the networks they operate on , open to large-scale attack .
In recent years , MFA was introduced . In MFA , another element – such as an OTP – other than the password itself , is needed to authenticate the user . This was thought to be bullet-proof as there is an additional layer of security . However , password-based MFA can still be compromised . Even time-synchronized OTPs are vulnerable , as they leverage the same shared-secret approach that passwords use , which are susceptible to hacking and phishing attacks . One possible solution is passwordless MFA standards . FIDO Alliance , for instance , developed an MFA standard that can help thwart attacks while delivering a secure and user-friendly experience . The alliance – industry consortium with 250 plus member and partner organizations around the world – was founded in July 2012 with the goal to develop open industry standards for simpler , stronger authentication , while addressing the problems users face with managing multiple usernames and passwords .
FIDO ’ s standards are designed around public key cryptography and the way it works is pretty simple . A pair of keys is generated when a user registers with an online service . The public key is then used to verify the private key in a two-step authentication method – a process that guards information from unauthorized revelation and access as only the user has access to the private key , which cannot be tracked by hackers and the information never leaves the local device .
Users can then have more control during their logins and don ’ t have to worry about account takeovers . More importantly , these standards are phishing-proof .
The FIDO standard has already been adopted by companies around the world , including major technology vendors like Apple , Dropbox , Google , Twitter and LINE . Most of us may already be using these seamless and secure login methods when we login to our email accounts or access our bank accounts online .
Bill Gates said way back in 2004 that passwords cannot meet the challenge of keeping critical information secure . He predicted the demise of traditional passwords and the decreasing reliance on passwords then . Yet , passwords continue to be used even to this day , despite many industry experts agreeing that they should be replaced .
We have made some progress in reducing the reliance on passwords but more still needs to be done . It is crucial for companies to continue educating their users and stakeholders on the risks of traditional passwords and the importance of moving to a passwordless future . Only then can a better and more secure user experience be realized . This future is already within reach – backed by leaders in their field and supported by devices all over the world – now all we have to do is take the next step .
32 INTELLIGENTCIO APAC www . intelligentcio . com