This past Friday, March 15th was National Password Day…in Canada (there is a ‘National Day’ for everything). It’s a day when organizations such as the Better Business Bureau and Federal Trade Commission share tips and urge citizens to regularly update their passwords. With all the advances in technology we have seen over the past few decades, the risks of hackers and cyber threats have also increased. Companies are beefing up their efforts to keep customer information safe with certain password requirements, but in the end they need the customers help in order to be successful. So why are there such vast differences in username and password requirements across different sites and applications?
We all have passwords for Facebook, Twitter, Instagram, LinkedIn, WordPress, Netflix, Hulu, Spotify, Amazon, email, work log-in, Apple ID, online banking, Uber, ESPN, Wi-Fi, federal loans, and the BC portal log-in. The list goes on and on. And then there are those who have a password manager, and that requires a unique password…what happens when you forget that password? Some sites require a combination of capitalization, numbers, and special characters while others require a simple length of eight or more letters. One site’s login uses an email address, the next one uses your phone number or personalized username. Then there are those sits which have an extra layer of security and call for users to answer questions prior to accessing your account. Some sites will time-out after a certain period of inactivity, prompting the user to either extend their session or log-out before it is done for them. One site’s inactivity limit is fifteen minutes while others can be weeks long. I understand these are all steps in order to protect users and their information, however there is no universal code for username and password requirements. Every app and service has their own version. Some classmates will recall the day when we only stored passwords in a computer but now there are smartphones, smart watches, tablets, and even smart TVs.
The amount of usernames and passwords one must keep track of is absurd. It’s why some revert to handwriting all their passwords on a single paper or keeping them in a word document. I can honestly say I reset a username or password at least once a month. Clear your browser history or buy a new phone or laptop and be ready to recall the dozens of passwords you may have. The only sites which made it mandatory to change my password over the last year was Boston College and at work. My company requires all employees to change passwords every ninety days and I can say with confidence that at least half, myself included, simply add the next number in line to the end of their current password. It’s just another password to remember and picking the next number makes it simple.
So why are we still typing passwords in? In some cases, we aren’t. Touch ID technology has been a huge help in evolving the everlasting ‘forgot password’ dilemma. Over the past few years we have seen facial recognition expand as an alternative to typing in those pesky password, but has been slow in its growth.
There’s hope to a day where we will not have to worry about passwords as much. A few weeks back, the World Wide Web Consortium approved WebAuthn, which is a mission aimed at a password-free future and phishing-resistant authentication at scale. Essentially, it is an API that allows sites to communicate with a security device, allowing the user to automatically log in to a particular service. Users will have the option to log into web services via computers or smartphones more easily using bio-metrics and/or FIDO security keys. A FIDO security key is a small device which can be plugged into a USB port on a computer. WebAuthn is already supported by most web browsers which is a big step towards seeing a wider adoption across individual websites and applications. One huge advantage of WebAuthn is that passwords never leave the user’s device and are never stored on a server, which eliminates the risk of phishing and password theft.
via W3 press release
“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, W3C CEO. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”
Like all technologies the initial rate of adoption is slow, but the fact that Dropbox,Microsoft, and most wed browsers are on board gives WebAuthn the support it will need to continue its expansion. Millions of users today have the ability to log into their Microsoft account without using a password. What is important to note is that some people take longer to partake in new technologies…in some ways there has to be an incentive. Once WebAuthn becomes more widely known as a revolution of simpler and stronger user authentication, there won’t be a need for any sort of incentive. How long will it take for bio-metric authentication to become the “norm”? What makes you most hesitant to commit to this new technology?