Passwords, Passwords, Passwords. Yes, we all have them, and yes, we have to remember a ton of them. They are one of the primary targets yet for the Cyber attacker, and because of that, employees in Corporate America are now forced to create such long and complicated passwords that it is impossible to remember them.
So, what do they do? They write them down on a Post It note, attach it to their workstation monitor, in plain sight. So what is the purpose of all this in the end?
In fact, I could write an entire blog series just on passwords, their creation, how they should fit into a security policy, and even how to use a password manager.
But I will save this for a later time. It was announced today that a new standard has been set forth for password creation, at least when it comes to people accessing their stuff on the Web.
This particular standard is known as the “WebAuthn”, and has won the stamp of approval from the World Wide Web Consortium. This is the entity that established the source coding standards for just about every web page, web site, and web application that is out there in existence on the Internet.
This new standard set forth apparently paves the way for people to authenticate themselves other that using their passwords.
There is also heavyweight support for this new standard from the likes of Google, Microsoft, and Mozilla that they will implement it into their web respective as well. Software developers from all over the world have also jumped on board, and this new standard is also being implemented for Windows, Mac, Linux, Chrome OS and Android platforms.
It is expected that full blown implementation will take at least a year, and it is expected that Corporate America should be able to jump on board rather quickly as well. For instance, “There are new concepts involved, but not radically new security thinking . . . the larger problem will be getting time and attention — especially in large organizations using this for customer-facing authentication — from the other stakeholder groups involved.” (SOURCE: https://www.technewsworld.com/story/85268.html).
The WebAuthn standard is based upon a confidential protocol that was developed by the FIDO Alliance, and as a result of this, it is also widely expected that there should be a dramatic drop off in Phishing attacks and data breaches, as people access websites and their login portals.
The protocol is based upon public key cryptology, in which you don’t have to create a secret (namely your password, or even a challenge/response answer) in order to authenticate yourself.
Because of this, people will not be tricked into giving away their password. You may very well be asking at this point, how can I authenticate myself if all of this is based upon some public based tool? Well, the protocol in turn is heavily dependent upon using much secure means of authentication, such as using Biometrics.
In this regard, it is your unique physiological or biological features that are used to confirm your identity – such as your fingerprint, or even the structure of your iris.
But, it is expected that there could also be a huge problem with wide scale adoption of the WebAuthn standard. The primary reason for this is that is that there are many other security technologies that have already implemented the FIDO protocol, and adopting WebAuthn will only mean that the organizations who are already using this will have to go through further compliance checks.
This will only mean added, extra costs, which no business or corporation wants to bear, because this is deemed as an unnecessary expense by upper management at these entities.
My thoughts on all of this?
It really is too early to tell. But honestly, although the effort which was put forth to create the WebAuthn standard is well founded, it may just fall to the wayside.
Why is this?
Well, there are already many security policies that have been set forth by Corporate America regarding the safe and secure usage of passwords. Nobody seems to care about them, given the sheer amount of Cyber attacks that are taking place today, and as mentioned, the password is still a prime target for the Cyber attacker.
Also, the password, despite its inherent security flaws will still be used for a long time to come. Society is a creature of habit, and people simply don’t want to change to what they are already are accustomed to. Yes, passwords are a pain to remember especially when you have so many of them, but people will still prefer this method over other new security measures that are designed to replace it.
Really, its like the proverbial saying of the dog chasing its tail. We, as the people, deep down will want to have something to get rid of the password, but the reality of it dictates quite the opposite. It seems like that the dog will be chasing its tail yet for a long time to come.