Here we go again! There it is, the link prompting me to click in case of a forgotten password. And needless to say, I have forgotten my password, it is gone with the wind like so many before it. So, I click and can now create a new, equally forgettable password. Am I alone or is there anyone else out there feeling like they are drowning in the multitude of passwords? Passwords are almost innumerable; you need a different one for each website and since writing them down is not an option it is no wonder, we keep forgetting them. Frustrating, is it not?
” In addition to removing the trouble of remembering passwords, they are also phishing safe. No passwords –no phishing “.
Most would agree that passwords are neither user friendly nor overly secure. And still, they remain the most common form of user authentication. And people struggle. It is hard to create a strong enough password, and to be fair, users get very little guidance on creating complex enough passwords. The advice often given is to use at least eight characters. Eight characters might just as well be 12345678, so it does not offer much help.
However, there has been some improvement. One option for passwords is multi factor authentication. This offers a more secure way of user authentication, yet it does not eliminate passwords altogether. A password manager is also recommended, and it is probably a great help, especially if you can remember the password for the password manager itself.
All the fuss with my passwords caused me to investigate the options a bit further. That is how I stumbled upon passkeys. Passkeys offer an alternative to passwords. They remove some of the responsibility coming with creating a complex enough password. There are simply no passwords in the passkey method. In addition to removing the trouble of remembering passwords, they are also phishing safe. No passwords –no phishing.
No passwords?
No passwords? Sounds great. How does it work then? Here is what I found out.
The user does not create a password, instead the website will generate a pair of keys. One of them, the public key, is then stored on the website while the other one, the private key, is stored on the device used for authentication. Both keys are needed to unlock the website. The user will no longer need a password, instead the authentication device will prompt the user to give the unlocking biometrics. Therefore, the authentication device must always be nearby when trying to log in to a website. That is saying: you always need to have your mobile phone on you when trying to log into a site. This offers additional security but may lead to a less smooth user experience.
What are the risks? There must be at least some. And I am sure there are, but somehow the downsides are not frequently discussed. It is to be kept in mind that security equals money, and money makes the world go around. Hence, companies may not be overly eager to discuss the downsides.
“Still, a passwordless future seems far away “.
Still, a passwordless future seems far away. Even if passkeys were to be the next way of authentication, passwords will probably stay with us for a long time. Passkeys and passwords will overlap with each other, most websites will offer both solutions. Also, the passwords already created will not be erased. So, the weakness is still there. Furthermore, not all websites offer support for passkey authentication, which might cause further delays in implementing passkey authentication.
So, we continue to struggle. Maybe the only answer is to educate, educate and educate. Because it is ignorance that makes us weak, and our weakness is what criminals thrive on.
About the writer
Lena Wadström- Ekblom is an Information Technology Student at Centria University of Applied Science. Currently she is working as a trainee in the SIFIS- home project. She is interested in understanding and improving cybersecurity in our everyday life.
