One of the clichés about the tech world is that new technologies become obsolete almost overnight as a result of rapid innovation. In some ways, this cliché holds true. On more than one occasion, for example, I have purchased a digital camera only to have the manufacturer offer something better a short time later. Similarly, I purchased a PC last year with a seventh generation Intel Core i7 CPU and found that I could have gotten an eighth generation CPU if I had waited a few months. Of course, the one big exception to rapid tech evolution seems to be passwords. To call web passwords a legacy technology would be a huge understatement. Passwords were first invented roughly about half a century ago, way back in the 1960s. As a young child in the late 1970s, I vividly remember my grandfather explaining passwords to me, and showing me how he would use a password to gain access to an old IBM mainframe.
Unfortunately, web passwords just have not aged well. Not only are there numerous techniques for stealing or cracking them, but passwords have also run up against what I like to think of as scalability limitations.
Typically, discussions of scalability in an IT-related context revolve around the challenges of managing large numbers of systems and users in an enterprise environment.
It isn’t that nobody has tried to do anything about passwords. Numerous efforts have been made to replace passwords with something more effective. The Windows 10 operating system is a good example. Even though most people continue to log into Windows 10 using a traditional password, Microsoft does provide other options. You can, for instance, log into Windows using a picture password (by using your finger to draw certain gestures on a touchscreen) or you log into Windows using a numeric PIN or even facial recognition (which works really well, by the way).
Web passwords: A lack of alternatives
So why is it that even though major software companies have given us really good alternatives to using passwords, most people still rely on passwords as their primary access-control mechanism?
In my opinion, the staying power of passwords has less to do with the lack of password alternatives than the lack of password standards. Consider for a moment how many websites and web applications you access over the course of a week, and how many of those sites require users to log in. Just today, for example, I have used Office 365 Planner, logged into an online class that I am taking, checked my notifications on Facebook, and uploaded a video to YouTube, just to name a few.
Each of these sites has its own authentication system. In other words, I have one password for Facebook, another for YouTube, and so on. Now please don’t misunderstand me. I am not suggesting that we would be better off having a universal directory that controls authentication and access control for all of the world’s online resources. A universal authentication directory would create countless legal and ethical questions and would be a security, privacy, and compliance nightmare.
Although I think that a universal password authority would be a very dangerous thing to have, I also believe that a much better way of controlling passwords is needed. Right now, Internet users have three main options.
Option 1 is to use the same username and password for every site. This technique doesn’t always work because sites can have varying password requirements. Even if it did work, however, the technique would be extraordinarily dangerous to use. If even one of the sites that the user frequents were to be compromised, then the bad guys could gain access to a set of credentials that would work across numerous other sites.
Option 2 is to write down the username and password for each individual site. The problem with this technique is of course that the document containing all of the user’s passwords could be lost, stolen, or otherwise compromised. Following the recent Hawaiian missile scare, for instance, it was discovered that a widely distributed photo of the Hawaii Emergency Management Agency contained a password that had been scribbled onto a post-it note and attached to a computer monitor.
Option 3 is to use a password manager. The problem with this option is that it means putting all of your eggs in one basket. If the password manager malfunctions, is compromised, or if you forget the master password, then you could be locked out of all of your accounts for good. A while back, I even heard a story of someone who suffered a hard disk failure and lost their password manager (and all of the passwords within it) as a result.
Clearly, passwords do not scale well. We all have way too many accounts to keep up with, and there aren’t a lot of secure yet easy and reliable ways of doing so. Thankfully, that may be about to change.
New authentication specification
Recently the World Wide Web Consortium (W3C) proposed a new authentication specification. Of course, authentication specifications get proposed all the time. Even so, this one is significant.
The main reason why the W3C authentication specification is noteworthy is because it could eventually become a standard. This means that over time, all websites and all browsers would share a common authentication method. More importantly, however, this method is based on the use of public key certificates — not passwords. Under the new plan, users can be authenticated into a website based on their possession of a certificate that positively confirms the user’s identity.
Because of the way that this proposed specification works, users would not necessarily have to carry around a certificate on a USB flash drive. Details are still a little bit fuzzy at this point, but according to some sources, you will be able to use the operating system as an intermediary step in the login process.
Imagine, for instance, that you want to log into your favorite website, but want to use the Windows facial recognition feature as the means of authentication. You could be authenticated into the operating system by its native facial recognition feature, and then the operating system could tell the website that you are you.
While it is easy to view such a capability solely in terms of convenience, there is actually something more important to pay attention to. The login method that I just described is based on an API called WebAuthn. The WebAuthn API is designed to trust the device’s native authentication mechanism. In other words, when you log into your device, your device tells the API that you have been authenticated, but your device does not provide your password, biometric data, or other authentication data to the API for processing. The authentication process happens locally, and your credentials are never transmitted across the Web. Once you have been authenticated into the device, then the operating system is able to seamlessly authenticate you into the websites that you visit through the use of certificates.
Standardization of web authentication
The standardization of web authentication could mean that soon you won’t have to worry about remembering all those web passwords. At the same time though, the entire process could break down if you happen to lose your private key certificate. The certificate will presumably be tied to the device either through a TPM chip, external media, or through a legacy certificate store. Regardless, it will be critically important for there to be a way to backup or regenerate the private key in the event that the original key is lost due to hardware failure.
Featured image: Shutterstock