What a future without passwords looks like
Now, it’s easy to find tutorials, and with a little effort, you can create a very complex password that’s hard to crack. But the problem is that you may not remember it, and then fall into the cycle of “forgot password-reset password-forgot password”.
What if the Internet didn’t use passwords at all? Can we not remember passwords and not be afraid of data leakage?
The “old stuff” of passwords has many problems.
In the 1960s, the concept of “passwords” was born with the first generation of the Internet. The original idea was to make users themselves an important part of this security system through user-customized password design. line of defense.
This system has been effective in the following decades. It can even be said that it is based on this password verification system that the Internet can have user logins and can flourish.
In theory, the ciphers still work well against common hackers. When you set a very complex password, even if the cracking device used by the hacker is a supercomputer, it will take a long time to crack it.
But in the 21st century, with the rapid development of the mobile Internet era, most people will have hundreds of Internet accounts that require setting passwords, and it becomes almost unavoidable to use the same password on multiple platforms. What is even more frightening is that the database that stores these account information is also at risk of leakage.
For users whose information has been leaked, what is even more fatal is that exposing information such as account passwords of one platform is equivalent to exposing information on multiple platforms, because many users use the same password on different platforms.
Today’s large-scale hacker organizations usually use various channels to collect leaked databases, and through integration, describe a person’s various footprints on the Internet, and then file them together to build a “social engineering library.” Maybe in the process, they roughly deduced your passwords on other platforms.
There are also scams that cost less. Criminals will use the existing leaked information to obtain more information directly from real people through phishing. The most common ones are counterfeit login websites and fraudulent calls. Even if you set a super-high-strength password, it is easy to fall into the pit in front of a fraudulent website that almost reproduces the official login page 1:1.
It can be seen that the current password mechanism has often become an accomplice to information leakage.
The existing password system has frequent problems, but it has to continue to drive the entire Internet. However, the industry has also begun to realize these problems left over from history, and they plan to start from scratch and create a verification mechanism that can completely replace passwords.
The key to “no password” At this year’s Apple Worldwide Developers Conference,
Apple introduced a new feature that does not require users to type cumbersome passwords-“passkey”. With it, the user no longer needs to enter a password, but directly uses facial recognition or fingerprint recognition to authorize the use of the “pass key”. At this time, the user generates a private key locally. At the same time, the platform server also retains a public key for verification. Once the two match, passwordless login can be realized. In this process, users only need to pass biometric identification.
It’s important to note that no password is not really no password. In this mode, users use mobile phones and other hardware as the main verification device, and the system will detect and bind the hardware information when registering an account. Afterwards, the user unlocks the hardware device using fingerprint, facial recognition or device password lock, etc., which will become the default action for subsequent account login without entering a password.
In addition to improving the user experience and protecting personal account information, this approach also allows service providers to provide FIDO credentials for recovery after accidental account loss. In addition, this method is also considered to be more friendly to disabled and elderly users.
How far is it to “kill passwords”
From the perspective of user experience, FIDO is not much different from the current fingerprint recognition and face recognition verification logins, and it is even similar to mainstream password auto-fill services. The most important difference is hidden under the login page: FIDO technology does not generate a random password by the system, but uses the “public key + private key” verification method to generate a private key locally on the device, while the account server keeps public key. This can only be done when the private key is paired with the public key for login verification.
For those phishing websites that cannot be easily identified by users, the accounts that have used FIDO technology in the registration will detect that the local private key cannot match the correct webpage public key, and no information will be transmitted. It avoids the fraudulent attacks of various high imitation login pages and the risks brought by database leaks.
Killing passwords is not easy. At present, the Internet ecology we are familiar with can be said to be rooted in the password authentication mechanism. Passwords have become part of the internet’s DNA. Therefore, we can only proceed step by step and gradually seek breakthroughs.
”Eliminate password” For most netizens, the most important thing is of course that you don’t have to rack your brains to set a password, and you are forced to reset it after forgetting it.