News

What a future without passwords looks like

  On a website called “PasswordMonster”, you can test whether people’s commonly used passwords are safe. Enter “123456”, and the website shows that the password is cracked in 0 seconds. “88888888” is 0.01 seconds.
  These days, you can easily find tutorials like “How to Create an Uncrackable Password”, and with a little effort, you can create a very complex password that is difficult to crack. But the problem is that you may not remember it, and then fall into the cycle of “forgot password-reset password-forgot password”.
  What if the Internet didn’t use passwords at all? Can we not remember passwords and not be afraid of data leakage?
  The “old stuff” of passwords has many problems.
  In the 1960s, the concept of “passwords” was born with the first generation of the Internet. The original idea was to make users themselves an important part of this security system through user-customized password design. line of defense.
  This system has been effective in the following decades. It can even be said that it is based on this password verification system that the Internet can have user logins and can flourish.
  In theory, the ciphers still work well against common hackers. When you set a very complex password, even if the cracking device used by the hacker is a supercomputer, it will take a long time to crack it.
  But in the 21st century, with the rapid development of the mobile Internet era, most people will have hundreds of Internet accounts that require setting passwords, and it becomes almost unavoidable to use the same password on multiple platforms. What is even more frightening is that the database that stores these account information is also at risk of leakage.
  For users whose information has been leaked, what is even more fatal is that exposing information such as account passwords of one platform is equivalent to exposing information on multiple platforms, because many users use the same password on different platforms.
  Today’s large-scale hacker organizations usually use various channels to collect leaked databases, and through integration, describe a person’s various footprints on the Internet, and then file them together to build a “social engineering library.” You may be roughly deduced your passwords on other platforms during this process.
  There are also scams that cost less. Criminals will use the existing leaked information to obtain more information directly from real people through phishing. The most common ones are counterfeit login websites and fraudulent calls. Even if you set an ultra-high-strength password composed of various random numbers, letters, and symbols, it is easy to fall into the pit in front of a fraudulent website that almost reproduces the official login page 1:1.
  It can be seen that the current password mechanism has often become an accomplice to information leakage.
  The existing cryptographic system is like an old-fashioned steam turbine that has been overwhelmed and has frequent problems, but it has to continue to drive the entire Internet. However, the industry has also begun to realize these problems left over from history, and they plan to start from scratch and create a verification mechanism that can completely replace passwords.
  The key to “no password
  ” At this year’s Apple Worldwide Developers Conference, Apple introduced a new feature that does not require users to type cumbersome passwords-“passkey”. With it, the user no longer needs to enter a password, but directly uses facial recognition or fingerprint recognition to authorize the use of the “pass key”. At this time, the user generates a private key locally. At the same time, the platform server also retains a public key for verification. Once the two match, passwordless login can be realized. In this process, users only need to pass biometric identification.
  The underlying technologies that support these experiences all come from an organization dedicated to promoting the “passwordless” process – the FIDO (Fast Authentication Online) Alliance. FIDO has formulated relevant technical standards and promoted them to major Internet giants. Now, FIDO members include not only mainstream operating system manufacturers such as Apple, Google, and Microsoft, but also chip hardware suppliers such as Qualcomm and Broadcom, and payment application giants such as PayPal.
  It’s important to note that no password is not really no password. In this mode, users use mobile phones and other hardware as the main verification device, and the system will detect and bind the hardware information when registering an account. Afterwards, the user unlocks the hardware device using fingerprint, face recognition or device password lock, etc., which will become the default action for subsequent account login without entering a password.
  In fact, we are not unfamiliar with this kind of passwordless operation. The login of the WeChat platform is an example. In order to achieve strong account security, WeChat does not need to enter a password to log in on the computer, but can only use the mobile phone to confirm the login.
  In addition to improving the user experience and protecting personal account information, this approach also allows service providers to provide FIDO credentials for recovery after accidental account loss. In addition, this method is also considered to be more friendly to disabled and elderly users.
  How far is it to “eliminate passwords”
  From the perspective of user experience, FIDO is not much different from the current fingerprint recognition and face recognition verification logins, and it is even similar to mainstream password auto-fill services. The most important difference is hidden under the login page: FIDO technology does not generate a random password by the system, but generates a private key locally on the device with the help of “public key + private key” verification method, and at the same time, the account server side Keep the public key. This can only be done when the private key is paired with the public key for login verification.
  For those phishing websites that cannot be easily identified by users, the accounts that have used FIDO technology in the registration, if it is detected that the local private key cannot match the correct webpage public key, no information will be transmitted, thus avoiding the root cause All kinds of fraudulent attacks on high imitation login pages, as well as the risks brought by database leaks.
  Killing passwords is not easy. At present, the Internet ecology we are familiar with can be said to be rooted in the password authentication mechanism. Passwords have become part of the internet’s DNA. Therefore, even if the FIDO alliance wins over industry giants, it can only seek breakthroughs step by step.
  ”Eliminate password” For most netizens, the most important thing is of course that you don’t have to rack your brains to set a password, and you are forced to reset it after forgetting it.

Share
Comments Off on What a future without passwords looks like
error: Content is protected !!