Will we soon be password-free?
23 02 2018
You are probably unaware, but in every ten of your friends and family, at least one person likely uses one of the 25 most hackable passwords in the world: ‘123456’, ‘password’, ‘qwerty’ or even ‘starwars’... Security and restrictions often go hand in hand: by placing emphasis on simplicity, many people leave their personal information virtually accessible from every direction. Those who are more cautious, on the other hand, find themselves with a dizzying number of passwords to remember, never-ending codes and, eventually, reminders – sometimes just as open to the world. Might there be a simpler solution, by any chance?
1. A matter of trust
Perhaps, but ‘simpler’ is not enough: it also needs to be ‘stronger’ and ‘less intrusive’. The solution where you allow algorithms to learn your habits, for example, may look appealing: passwords then become necessary only when your usual behaviour–location, active hours, locations visited, text entry speed, etc.–can no longer be identified. While that may be so, allowing the Microsoft Cloud to collect information about your content in order to compile statistics involves a level of transparency that you may find incompatible with data protection.
Trusting the system, as the vast majority of people aged under 20 do today, is not yet a given for everybody. And if the previous generations are not as laid back when it comes to their relationship with data protection, it is because they still remember a time when more restrictive security measures reminded Internet users that hacking is not reserved for celebrities, and that brute-force attacks do not only happen in spy movies. It is also easy to be relaxed when the only threat on your radar is pickpockets: at the company level, however, the risks take on a whole new dimension.
2. Fewer passwords, but better quality
Wherever you are on the scale, device protection (tablet, computer or telephone) and data protection involve two different passwords. For the former alone, they are already trying to change things up: in addition to simple but easily recognisable patterns and fingerprint sensors (provided you agree to the digital storage of your fingerprints, as a better option does not currently exist), it is now possible to replace the 10 numbers and 26 letters with a choice of 12 emojis among the 2,500 available and then to select a sequence of four or six. Strong protection AND fun. But, again, one of these passwords by itself is not enough! Among the series of fun alternatives, Nova Spatial is currently developing an authentication system based on recognition of a small parcel of land on a digital world map, the coordinates of which serve as a code that there is therefore no point memorising – you just need to know where a certain tree, swimming pool or junction is, etc.
Until we can rely on our visual memory, using emojis and maps, online password managers are multiplying. With such virtual vaults as 1PassWord, LastPass or KeePass, one code is enough to protect all the others stored and encrypted behind it. One master key is all you need, albeit as complicated as possible–but a single phrase will do the trick. For example, ‘Open Sesame!’ (punctuation included!).
3. The other side of biometrics
Desperate times call for desperate measures: could the future be in strong authentication using physical objects? A thumb, eye, voice or face are prime examples of such methods that are increasingly readily used to unlock devices, and might well end up being used to access profiles on social media: the hackers claiming to have fooled the iPhone X’s facial recognition with an ultra-realistic latex mask need not go to so much trouble for consumers. The use of biometrics is therefore likely to spread further, and even become more sophisticated in the next few decades: it is really a question of developing sensors specifically for identifying DNA.
Such sensors will mean the end of problems caused by beards or haircuts that still occasionally trip up facial recognition systems – the only remaining problem will be an evil twin! In 2015, Jonathan Leblanc, then Global Head of Developer Advocacy at PayPal, claimed that the passwords of the future would no longer be written down or memorised, but rather implanted, swallowed or injected. He spoke of wearable computer tattoos, ECG sensors that relay heart data, vein recognition and blood pressure. Foolproof, perhaps, but somewhat unappealing... Three years later, digital tattoos seem to have taken the lead: chemist Zhenan Bao, who recently developed e-skin, really highlighted the medical and social possibilities of this connected electronic material that perfectly matches human skin. However, this will inevitably come up against the issue of confidentiality at some stage: it will then no longer be our fingerprints being used as universal passwords, but rather a tiny electronic film placed on the pad of the finger and connected to our smartphones. How do you like the sound of that?
4. The secret to two-factor authentication
Rather than focus on making biometrics foolproof at the cost of who knows what level of privacy invasion, perhaps it is worth looking at simplifying two-factor authentication. This kind of system is already widely used today for online payments, which request a second code sent by SMS valid for only a few minutes. The confirmation code, while most often sent to a smartphone, can be sent to a Google Watch, smartcard, app (like with the Stormshield Data Security solution), cryptographic token or USB flash drive (such as the FIDO security key).
The problem will of course be that you can never leave the house without the physical object needed to generate the second code. You are less likely to leave your thumb or your eye at home than your smartphone... Unless we think of it as some kind of new organ for homo numericus? Otherwise, there is always the option for us all to become geniuses capable of remembering dozens of number sequences. Your choice...
Thank you to Fabien Thomas and Jocelyn Krystlik, Chief Innovation Officer and Product Marketing Manager Data Security respectively at Stormshield, for their invaluable help in writing this article, in collaboration with Usbek & Rica.