Passwords: A true menace?
Breaking out of the never-ending cycle of remembering passwords turns out to be somewhat a traumatic experience for every one of us who have handled multiple accounts throughout our lifetime on the internet. All of us have had that very frustrating experience of having to repeatedly slam that “Forgot Password” button on each and virtually every site that requires an authentication measure. All this leads up to us thinking, is this idea of password authentication critically flawed?
Password manager? A good idea?
An average user has over 90 accounts on the internet, and to remember a complex set of alphanumeric codes for each one of those accounts, sounds like torture and madness rolled into one. But, one might tell us, “Oh, you don’t have to remember all these passwords you know? You could use a password manager”. But little do we realize, we are storing all our passwords locked under one single password, that’s ultimately nothing more than using the same password everywhere.
Repetition of passwords and phishing attacks
Statistics show that, though 91% of users know it’s ill-advised to use the same password everywhere, close to 66% do it. Many people end up using generic passwords like “1234” or “qwerty”, just because they believe their data might not be of use to anyone, but one must note this traumatic experience of a British woman, as reported by the BBC. Her account seemed to be hacked in, and the hackers seemed to have used her identity to open a new bank account, order new credit cards and whatnot. Little do we realize what is at stake here, from identity theft to phishing scams, secure authentication is the need of the hour.
Resetting passwords, a big headache:
“So what if you forget the password? Reset it!” one might say, but here is where the problem, there’s hardly any point trying to reset the password, if we are going to end up forgetting it again! An anonymous survey found close to 37 forgot password emails in a mail inbox.
This is not even surprising at this point, looking at how much we ourselves abuse that feature in many websites/apps.
Effect of this system on Enterprises
Passwords don’t just end as a ‘minor’ inconvenience to the user, but also results in rather humongous losses for the business involved. Stolen passwords are the cause of 81% of security breaches — and each breach costs an average of $3.9 million. Even if a security break never happens, resetting forgotten passwords could cost large companies about a million dollars a year. Many e-commerce sites end up losing most of their customers at the end of the cart to the billing journey where they are asked to log in to their accounts. Multiple users have been locked out of their accounts because of too many incorrect attempts to log in. This causes huge losses to the companies, leading them to lose a large number of customers, and effectively money, due to the failure of this password-based system.
Biometric authentication: A feasible alternative?
What about Biometric authentication then? It’s fast-paced and gets the work done. But one must understand that biometric authentication has its own set of hardware requirements. Even though this hardware is available in most of the smart devices that we used today, we must consider the grave concerns of security that biometric authentication has in store for us. Recently in a conference in Shanghai, China, researchers spoke about how one could take biometric markers off a high-resolution image even if the person of concern was a few meters away in the picture. If one would find resetting a password difficult, imagine getting new fingerprints! Similarly, even face recognition systems can be fooled by using high-resolution images. Many times, these systems don’t even recognize women and people of colour, showing how undependable these systems could be. It has also raised concerns over the fact that many government agencies are introducing facial recognition in airports, and as they maintain a database of this information, it almost seems like they have access to our accounts!
Decentralization as the best possible alternative
So what seems to be an effective substitute to this never-ending menace one might ask. Decentralizing the system is what many believe is the way to go. By using the Ethereum blockchain ecosystem, a user receives a public and private key. While each sign-in request requires the user’s private key and verifies its credentials with a public key, uniquely authenticating each and every request, narrowing down a hijacking chance to zero. To hijack, the hacker should be able to sign in on behalf of the user, which would effectively not be possible because of lack of access to the user’s private key which is protected by hardware-level security, Hardware Security Models (HSMs). These protect the private key’s exposure from the internet, by ensuring that the private keys are sent over the HSM rather than over the network. If authorized by the user, the signed request gets validated, else considered invalid.
An additional feature to this is encryption and decryption. Only the user who owns the data can read it, so if the app developer codes to encrypt the data, even the application can not decrypt it without the user’s confirmation.
From this, we see how we can shift the power of data control from big tech giants into the hands of the users themselves. Many such upcoming and developing technologies can deem the entire futile process of remembering a password unnecessary, while still maintaining high levels of security and privacy.