President of Univention North America, making sure you stay in control of your data, your company and your future.
Since the advent of multi-user computer systems, passwords have been the authentication method of choice. Enter your username, enter your password, and you are ready to use most systems, services and websites.
However, there’s a catch to this fairly easy method of logging in. While computers can easily create and use cryptographically sound and secure passwords, human psychology and memory are insufficient to generate and remember good passwords.
Consequently, we have seen several attempts to augment or replace passwords. Most have not yet led to widespread adoption, whether it’s SMS, apps or lists of PINs. With passkeys, though, there is a cross-platform, multi-company replacement for passwords on the horizon.
Will passkeys really be a game-changer? Without careful consideration, they might fizzle out like previous attempts. Let’s look at three issues around replacing passwords and how we can address them.
Smartphones: Expensive And Exclusive Toys
There are a number of issues related to accessibility when it comes to smartphones. For example, a person who is blind or who has Parkinson’s disease might struggle with operating a smartphone. I’d venture the guess that most people in IT have never watched anyone outside of their circle of educated, non-disabled co-workers use the technology. Even user studies too often display a significant bias when analyzing technologies.
Using smartphones as part of the authentication process represents a significant hurdle to adopting better security practices. What’s making it worse is the growing smartphone fatigue, or people not wanting to spend money on a device that tracks their every move and can lead to a significant waste of time. On top of that, many Gen-Zers have started to abandon smartphones and are returning to old form factors, which means it might be an even bigger problem than we think to rely too much on smartphones for logging in.
A Habit That’s Hard To Break
One issue with passwords, which no solution so far has addressed well, is the habit-building process. In the U.S., we get kids onto a computer in school at six years old. For good reasons, however, we don’t entrust them with smartphones, two-factor authentication (2FA) dongles or setting up their fingerprints. Instead, we teach them that passwords are the best way to log into a computer or to get to play entertaining or educational games.
We nurture that habit for the next 10 years, slightly increasing password complexity until teenagers are opening their first bank accounts with online access. Suddenly, though, we change the story. What we ingrained in them for a decade is now presented as insufficient to protect their digital identity. Given the number of changes that occur in all parts of life when transitioning to adulthood, cybersecurity is on no one’s mind, and we look the other way when they click “ignore 2FA” for the first—and, most certainly, not the last—time.
As it turns out, that habituation is coming back to haunt us. The idea that passwords are a sufficient security precaution enters our minds at an impressionable age, and we never genuinely question the idea again. After all, it’s always been this way. Reminders to choose better passwords, update the authentication method or add additional security measures are considered a nuisance.
Costly Implementation Errors
New tech is exciting for experts—and sometimes for end users—until something goes wrong and the head-scratching starts. Omissions and oversights are often only scrutinized after the fact. Apps like Google Authenticator cannot afford to ignore end-to-end encryption when syncing authentication data, or they will fail and be all over the news. Therefore, any changes that reduce our reliance on passwords must pass a much higher bar when it comes to their built-in security features.
The good news regarding these underlying issues is that there are three steps we can take now to make sure they’re properly addressed.
Step 1: Be Inclusive
New solutions must be inclusive, whether it’s about building habits among kids and teenagers or remembering that the world is full of people who can’t or don’t want to use a smartphone. We cannot achieve better cybersecurity if we don’t consider habits, and we can’t build better habits as a society if we neither start early nor manage to take everyone along for the ride.
Whether it’s addressing ageism, ableism or literacy, combating these problems in cybersecurity applications should be at the forefront of our minds when designing new solutions. For many systems, it only takes one compromised account to gain access. Thus, we don’t have the luxury to only serve half of the population.
Step 2: Redesigning The Login Flow
For many services today, setting up multifactor authentication (MFA) takes five or six actions. Choose which system to use, take your smartphone, open the app, scan the screen and enter the return code. In contrast, the ignore button for MFA is just one click. Even if I have to press “ignore” every time I log in, it’s still less cumbersome than taking the smartphone, opening the app and entering the MFA code.
We must start designing the login process in a way that the less secure solution takes just as many steps as the more secure alternatives. Otherwise, we continue to reward users with easier access, which costs reputation and money in the long run.
Step 3: Strive To Be Holistic
With passkeys, we finally have a cross-platform solution from commercial vendors or an open-source offering. However, designing a working, inclusive and easy-to-use answer to an old problem isn’t enough.
We must also raise awareness around the risks and clear dangers of passwords, especially insecure ones. Passkeys or any password replacement that follows will only succeed if a major push in marketing and education accompanies the roll-out of a technologically sound solution.
Only if we all work together—from service providers and B2B/B2C companies to IT departments and all the way to teachers who help kids set up their first accounts—will we be able to make passwords and the accompanying cybersecurity nightmare a thing of the past.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here