The Future of User Authentication: Moving Beyond Passwords
The current state of password-based authentication
Older than the internet itself, passwords are a long-standing approach to authentication. The login process on most websites boils down to a pre-agreed username (or email address) and a secret string (the password) shared between the user and the website. In terms of security, passwords travel over the wire in hash form during login, and are also stored in web servers, but there’s still a possibility that they will be hacked.
In the modern world where security and usability must go hand in hand, password-based authentication is a massive pain point for everyone involved. “Ranging from multi-factor authentication to makeshift identity verification through utility bills, additional steps that service providers use to establish trust clearly show that passwords have reached their expiry date. Besides, right off the bat, there are two additional dealbreakers in terms of security here: password re-use and the fact that not all service providers use those additional steps. That creates a window for hackers, allowing them to access user accounts in high-security websites by hacking lower-security websites first,” Robert says.
Today, an average internet user has dozens of password-protected accounts, making it increasingly difficult to store and manage them safely. According to Robert, password managers are a good solution in terms of security here, but that comes at the expense of usability. “Even if we create safe passwords and implement a password manager, changes are inevitable. Devices break, get stolen or upgraded, and some service providers require users to change their password on a regular basis. Besides, most users have multiple devices at a time, which requires them to sync the password manager across each device as well. Maintaining security with this level of fluctuation requires an unnecessary amount of resources when there’s a clear alternative in sight,” Robert notes.
Qualified certificates are the future
Why is the shift taking so long?
The abundance of extra steps in password-based authentication clearly shows that larger service providers and government entities have already realized that passwords alone are insufficient. But according to Robert, there are many hurdles on the road to widespread adoption of qualified certificates. “User acceptance is one of the biggest challenges at this point. People are used to a user name–password system: I have this password that I created and only I know, meaning only I can log in, right? Compared to that, certificates and public-private key crypto sounds like magic - even if everybody from the IT side confirms that this is a more secure solution,” he says. Technical challenges should also not be overlooked here, especially because implementing certificate-based authentication requires resources that smaller industry players don’t yet have. That is clear because we still see some of them struggle with the proper implementation of even multi-factor authentication.
Another element of user resistance is the anonymity debate. Since qualified certificates represent real identities, these concerns are valid, but Robert also points out that sharing of private information is a crucial element in 99% of transactions either way. “I’m not saying that people are overvaluing anonymity – it’s very important. But in a business transaction, both sides must know each other. Even if you’re joe123, when you buy from a webshop they need to know where to deliver and who to charge the money from. Qualified certificates support safe exchange of information, and they top it off with a level of data security that passwords can’t guarantee,” notes our CTO and Security Officer.