Passwords are so 90s...certificates are the future of users’ authentication

Today, on the occasion of “World Password Day” we are sitting down with Robert Hoffmann, our Security Officer, to ask him about the future of passwords in the digital identity world. 

Currently over 460.000 passwords are stolen per day (Source: BreachAlarm) resulting in security breaches that compromise both users and companies online. What’s your take on that? 

It’s no surprise. Passwords are an outdated technology. An attacker could simply try out all combinations, or steal the password and use it. In order to use a password, it also has to be sent to the other party - and if this transport is not secure, or if the user was tricked to send it to an attacker site, then it is stolen. Passwords are in this sense not bound to the owner; whoever knows the password can use it.

Passwords are however still extremely common. Why?  

Passwords are easy to understand for non-technical users, but they misunderstand the risk level behind them. Many people also reuse the same password on many sites, which is understandable from a convenience standpoint. This has led attackers to break into sites with low security and then try out the stolen passwords against more secure sites - often with great success.


 60% of users admit to using the same password across multiple online accounts, from email to online banking. (Source: Google, the United States of Passwords)


With the rise of digital identity the need to remotely authenticate users is rising. In this scenario, what is the role of passwords?

Passwords are only a technology. We need to look at what is actually intended: The other party, for example a webshop, bank or your workplace, needs to establish your identity - is it really you, the person, who wants to have access? If we can increase the reliability of this assessment, then we can put more trust into the whole communication - which enables us as a society to make more processes and interactions available online.

Many remote identification technologies rely on token-based authentication, such as USB keys, or a smart card. Do you think passwords can be replaced by a physical token?

Tokens have been one of the first steps to move to certificates instead of passwords. They store personal certificates in a secure hardware item that allows authentication to remote sites, such as your bank. This at least removed the need to transmit the password to the remote site, and moved to more secure public/private key authentication (i.e., certificates).

Are there any challenges? 

Tokens are still hardware that the user needs to handle. It is yet another device that you need to carry around and secure. If you lose it or damage it, your keys are gone. 

The next step was of course to move this into your phone, to have your smartphone as a token. One of the advantages here is that you usually have an account connected to your phone, with an encrypted backup in the cloud. So your smartphone is a secure access device - if you lose it, you replace it and sync your account onto the new phone. At  the same time the smartphone itself provides physical protection of your secrets similar to a dedicated hardware token. The digital signature solution will then of course initially verify that it is indeed your phone. Thus you have the security advantages of a hardware token, without the risks or hassle of yet another device to carry around.


With a smartphone as a token you have the security advantages of a hardware token, without the risks or hassle of yet another device to carry around.


In order to overcome passwords and token limits, biometrics authenticators’ are emerging as everyday authentication methods. What are the benefits and limits of such methods? 

Biometrics are very interesting, since they identify you based on attributes of your body. The challenge here is to use attributes that can not be copied by an attacker, so a liveness check is usually added. Great care also has to be taken not to exclude anyone with disabilities or uncommon features. The other challenge is to utilize biometrics while not disclosing any medical information to the party the user authenticates to.

The clear advantage of biometrics is that they are bound to your person, you always have them available without additional effort. And when done right, biometrics are very difficult to copy. Biometrics are a highly convenient method of authentication for the user.

How does a digital identity solution combine passwords, tokens and biometrics in authentication methods?

Digital identities, such as those based on the eIDAS regulation, provide a holistic framework to prove your identity to a third party. The verification process, from the legal basis to the technical implementation, needs to uphold a high level of security and is audited by independent parties. This provides a level of trust that enabled governments to define it as equal to a written signature.

Utilizing digital certificates, biometrics and further digital verifications as underlying technologies, it allows users to identify themselves with a high level of trust, without memorizing passwords or carrying tokens.

 

 

 

Password

Certificate
EASY TO USE Need to create long and complex passwords Only need to have it
TRUST IN THE OTHER PARTY Must trust the other party to keep their copy of the password secure The other party only has the public key
LIMIT THE LIFETIME Needs to be actively removed when no longer needed Certificates have a clear from-to lifetime
ATTESTED BY AN INDEPENDENT THIRD PARTY No attestation Certificates are signed by a third party to attest the identity of the user
CAN BE USED FOR LEGALLY RECOGNIZED AUTHENTICATION No Yes, qualified signatures under eIDAS they are equivalent to a written signature