October is Cybersecurity Awareness Month. All month long, ITS News will highlight this year’s theme: See yourself in cyber. In this article, seeing yourself in cyber means understanding the cat and mouse game of cybersecurity and how you fit into it. To learn more about other ways to see yourself in cyber, visit Safe Computing at UNC.
Right now, passwords are one of life’s necessary annoyances, but a future without them is on the horizon. The computer password as we know it has been in use since the early 1960s. And ever since those early days, passwords have been the center of a tug-of-war between end users and bad actors.
Passwords need to be simple enough for people to use them but complicated enough to keep hackers out. That’s led to a familiar, and annoying, sort of arms race of advice and strategies. Strategies like changing your password often, not reusing passwords, making passwords very long, using passphrases, incorporating numbers and symbols, using a password manager and automatically generating random passwords. It’s all good advice but it’s understandably frustrating to feel like good security is a lot of work.
It’s like knowing the lock on your door is important but needing to change your keys every three months. If we all only had one door to manage, swapping those keys wouldn’t be so difficult. But because we each have dozens or even hundreds of passwords to keep track of, it’s hard to stay ahead.
That frustration plays into hackers’ hands. The more annoying it is for us to follow security best practices with our passwords, the more likely we are to use bad cyber hygiene like reusing passwords across different accounts.
Besides our human weaknesses, passwords also have technological weaknesses. They can be stolen, either through hacking or phishing. They can also be guessed, or cracked, which is a substantial risk when we use simple, short or predictable passwords.
One of the ways we’ve increased security is multifactor authentication, known as 2-Step Verification at UNC-Chapel Hill. This means pairing our passwords with another method of authentication, like entering a code or approving a push notification. This mitigates some of the weaknesses of passwords because even if bad actors steal or guess your password, they still need your second factor to access your accounts. And while multifactor authentication is much stronger than a password alone, hackers are finding ways to defeat it, mostly through human weaknesses.
Goodbye password, hello passkey
In the hacker/password arms race, going passwordless completely changes the game to one that strengthens security without making things harder for end users.
Going passwordless means a fundamental shift in how we log in to systems. Today, when we create a password, it is stored, hopefully securely, on a server. When we log in, we enter that password and it’s sent to the server to be checked. This means three points of potential failure. First, that passwords are stored where they could potentially be hacked. Second, that passwords are transmitted and may be intercepted, and third that your password can be used by anyone who has it, not just you.
With passwordless logins, we shift away from passwords-on-servers to device-based authentication using a passkey. With a passkey, you set up and store your credentials on devices like a smartphone, smartwatch, tablet or laptop. Your credentials are never sent to or stored on servers. This means that they can’t be intercepted in transit or stolen from the server.
When using passkeys and passwordless logins, sites don’t ask you to enter your password, they ask your device to use the passkey. On your device, you verify your identity using biometrics such as FaceID or Fingerprint Unlock or by using a PIN. After confirming your identity, your device uses the passkey. The site matches it to their passkey information and you’re logged in.
Passwordless logins means stronger security and increased convenience. Your passkey can’t be phished or stolen and logging in is as simple as unlocking your smartphone or laptop.
The future is passwordless
Earlier this year, Google, Apple and Microsoft announced that they would expand support for passwordless logins using open standards from the FIDO Alliance.
The commitment by three of the largest login providers in the industry is pushing passwordless into the mainstream. Each of these companies already offer some version of passwordless login. You may already be using it to do things like verify an App Store purchase with FaceID, but this commitment opens doors to more options. Starting late this year and continuing through 2023, you will be able to automatically access configured passkeys across different devices and platforms without many manual enrollments, making it easy for you to put stronger security on your accounts with just a few clicks.
In Part II, we’ll look at what the passwordless future looks like at Carolina. And how ITS balances keeping convenience and security when logging in to University systems.