Companies are increasingly adopting new practices when it comes to securely accessing their online data, gradually eliminating passwords, preferring to adopt intrinsically more secure passwordless access systems, safer against hacker attacks. The CAPTCHA systems used to date are proving less and less reliable, their creation and improvement are very onerous, and with the advancement of technology, artificial intelligence evolves accordingly and it is increasingly difficult to recognize human identity from bots and fake profiles.

For example, the Fast Identity Online Alliance (FIDO) has been working, for more than ten years, on creating a system where users are allowed to log in to their online profiles simply by using the unlocking system on their smartphone or computer. In this way, the password does not need to be sent via networks susceptible to external interference and users can access their data through an iteration between a public “key” and a private one, which cannot be removed from their device. Although this system is not completely immune to attacks, it adds several layers that must be bypassed for the hacking attempt to be successful.

Passwordless authentication indicates all those security systems that allow access to software or an application without the use of passwords. It differs from multiple-factor authentication because the latter still requires the presence of a password which is then integrated with other identification systems.

Some examples of passwordless authentication include physical security keys, specialized apps, magic links, e-mails or the use of biometric data. Passwordless authentication solutions vary in functionality and implementation, but all allow users to log in without creating or storing a static password.

By eliminating a password vulnerable to attack from the login process, friction is reduced, security increases and a better user experience is provided through a more agile authentication process.

Passwordless Rawfish

The vulnerability of passwords derives from various factors, the first of which is the objective difficulty of remembering a large number of them. This leads the user to create a multitude of extremely simple passwords and reuse them for multiple sites. Even simple attacks like brute force or stuffing are usually enough to crack these passwords. Sometimes we give the passwords to hackers ourselves when we are under phishing attack. The problem has been partially solved by allowing sites to suggest complicated and alphanumeric passwords (capital letters, special characters, etc.) that make passwords long and difficult to guess. Unfortunately, although this method makes passwords more secure, it is often not used out of laziness, or as mentioned above due to the inherent difficulty in memorizing these passwords. In general, it is also dangerous to write down the passwords themselves, as the medium where we write them down can be lost or stolen.

Password-less authentication is used in both commercial and industrial applications. For example, some businesses use physical security keys to protect vulnerable digital assets, and some online merchant customers can use their fingerprints to confirm a purchase on their mobile devices. However, passwordless authentication is not limited to these methods or use cases – it includes a wide range of implementations with different feature sets and benefits.

According to the Gartner company, soon more than 60% of global enterprises and 90% of SMEs will implement passwordless strategies by 2022 to protect their own and their customers’ data. Passwordless techniques are nothing new. They had already begun to spread in 2012, but are made more and more necessary by the inherent weakness of password attacks and by the evolution of these attacks over time, not to mention how easy the passwords themselves are to forget. According to Verizon’s annual report on cyber data breaches, 80% of these are still caused by insecure passwords and weak credentials.

There are also advantages from the UX point of view: creating and managing passwords, or their recovery, even when managed through a password manager app, is laborious and induces anxiety in many users, especially those with cognitive difficulties. A passwordless system is much easier to manage, and so users can rely on convenient login mechanisms such as push notifications and facial recognition to simplify transactions.

Passwordless rawfish

Some alternative methods to the exclusive use of passwords for authentication are:

As the name indicates, MFA (Multiple Factor Authentication) allows access to your data only if multiple factors are independently authenticated.

SSO (Single Sign-On), or codes provided to the user, which expire once used.

Biometric measurements, which take place by reading some physical characteristics of the user, such as fingerprint or facial features.

The first two exploit the ownership factor, which is something the customer has, such as a mobile phone to receive messages or a hardware token; the third instead refers to something that the user is.

The criticalities of the passwordless system

Despite everything, even these techniques present some criticalities, as the hardware supports can be stolen from their legitimate owners and the accounts where the pirated SSOs are received. A criticism that is then very often levelled at the MFA is that it sometimes takes too long, which is badly suited to a business environment; not only that, sometimes messages with pins or other identifiers just do not arrive, making the process even more laborious when the identifier is lost or expires without being used, not to mention that lost passwords could be intercepted by malicious people.

Biometrics, then, is also easily pirated if someone manages to copy our biometric data (experiments have shown that copying or simulating biometric data is less difficult than you think). Not only that, given that biometric data cannot be reset, any errors or improper use of the same could not be corrected.

While these criticisms all have a valid foundation, they all recognize the benefits of transitioning to the passwordless world. Of course, it will still take a long time to perfect alternative authentication systems, and a lot of work will need to be done to address the continuing evolution of hacker attacks, such as implementing Adaptive MFA (Adaptive Multi-Factor Authentication or aMFA is essentially a “smarter” version of MFA which requires users to verify factors only if something suspicious happens).

The Proof of Humanity

The contribution given by blockchain technology could not be missing in all of this. Specifically, an Ethereum app called Proof of Humanity (PoH) will allow you to save your data on the blockchain, creating a certified virtual identity. In this way, those who register via PoH will be able to access online services without having to prove each time that they are not a bot. The procedure for obtaining this certification is more complex than normal it requires you to connect with your Ethereum wallet and pass several steps that gradually increase in complexity. In addition, the profile will always be under scrutiny by those who have already obtained the identity certification and who have the task of reporting any suspicious profiles and confirming those in good standing. The proliferation of fake profiles is also discouraged by the need to pay a small deposit which will be returned at the end of the process. Despite all these steps that should make it hyper safe, Proof of Humanity is not completely free from possible manipulation there is the possibility that someone can force or pay someone, and organize a data trade for the creation of “dummy” profiles to be used for purposes illegal. Furthermore, currently, the register is not anonymous, but it is theoretically possible to encrypt the data of each profile through privacy protocols already used by various blockchains.

Passwordless rawfish