From passwords to passkeys: Making authentication better
It’s a beautiful sunny day outside, and an even better weekend is coming. You decide it’s the perfect occasion to invite friends for a barbecue! How wonderful — could this day get any better? There’s just one little thing… you don’t have a barbecue. So, let’s log onto our favourite e‑shop and order one. Wait… what was the password? Hmm… my birthday? No… my cat’s name? No. Was there an exclamation mark? Let’s tr — oh no, I locked myself out. Day’s ruined. I’ll just cry in that corner.
Does this sound familiar?
Let’s face it — everybody hates passwords. The main reason may be that they are no longer fit for purpose. But how did we get here? And how can we make it better?
A brief history of passwords
The inception of password-based authentication is widely associated with the introduction of the first general-purpose time-sharing operating system (CTSS) in 1961.
With CTSS, multiple users could share a single computer system, each with their own private files. To protect access to personal files, the idea of creating a master document where usernames were associated with passwords seemed easy to implement and secure enough for its purpose.
Protecting stored passwords
Soon enough, the vulnerability of having a master document containing all user credentials in plain text became apparent. Skilled users could bypass security to access it, and system administrators or those with access to backups could easily read or create copies of the file with unvetted access.
To address these security concerns, a new method for storing and validating credentials was developed with the arrival of the Unix operating system. Instead of keeping passwords in plain text, an encrypted version would be stored in the master file. When a user entered their credentials, the password was immediately encrypted, and the encryption result was compared to its stored version.
This approach ensured that even if someone gained access to the master file, it would not automatically allow them unauthorised access to user accounts. Since then, other techniques like “salting” and “peppering” passwords have been added to the mix (adding extra characters so that identical passwords result in different encryption outcomes), making credentials even harder to steal.
Want to try out different types of encryptions? Check out CyberChef.
Making passwords stronger
Encrypting passwords added a level of security, but it didn’t stop users from trying multiple values to discover them. The selected keywords needed to be harder to guess.
Early recommendations suggested using passwords of at least five characters. This followed a study revealing that a 1‑character password from 26 lowercase letters could be guessed by a computer system in approximately 30 milliseconds. In contrast, a 6‑character password from all available characters would have taken 174 years with the technology of that time.
However, enforcing longer passwords alone was again found to be insufficient for guaranteeing a good level of protection. Another study revealed that most users often optimised for memorability, setting their passwords based on dictionary words, birthdays, and similar patterns. (This is, in fact, a very modern problem — if you want to have fun, check out the “Top 200 Most Common Passwords List | NordPass” from NordPass. If you see your password there… well, maybe it’s time to change it.)
So, in 2003, the National Institute of Standards and Technology (NIST) published an 8‑page document describing a series of recommendations that quickly became the industry standard we all know and love, such as: “Passwords need to use a mixture of capital letters, numbers, and symbols” or “Users should change their passwords every 90 days.”
The NIST publication has since been regularly updated, now favouring long but easy-to-remember passwords (e.g., There’sAPizzaOnThatRoof) and advising that users should only be asked to update their credentials if there are signs they may have been stolen.
And they lived securely ever after… or did they?
Sixty-three years after their inception (at the time of writing this), it seems we are still searching for the magic formula that will make passwords secure. When looking at data breach investigation reports, the consensus year after year appears to be that the vast majority of successful attacks involve a human element, with the key path leading to unauthorised access being… credentials! (Stolen, guessed, etc.)
If you’re curious, check out Verizon’s “2024 Data Breach Investigations Report | Verizon”.
Technology has rapidly advanced since 1961, with most companies moving their services to the Internet and requiring users to register. As a result, the number of passwords for the average user has increased exponentially. With so many passwords to manage, it’s easy to see how most people fall into the same old habits: choosing memorable passwords or easy patterns (e.g., starting with a capital letter and ending with an exclamation mark, re-using the same credentials for multiple accounts, or keeping their passwords written down in plain text somewhere).
The unfortunate side of this story is that while users keep making old mistakes, attackers keep getting better at exploiting them.
Making authentication stronger
Passwords seem to have outgrown their purpose. So, what can we do to keep them relevant and make authentication stronger? And what is authentication, anyway?
NIST defines “authentication” as the act of: “Verifying the identity of a user, process, or device, […] to allow access to resources in an information system.”
From this definition, we can extrapolate the three fundamental elements of authentication:
Identification: The assertion of an identity. Think of a username — this is the claim of being a specific user.
Verification: The “proof” that a user is who they claim to be. Think of the password — the proof presented to verify the claimed identity.
Authorisation: The ability of a verified user to access resources or perform actions.
Focusing on the “verification” element, we can further subdivide it into three main types or “factors”:
Knowledge factor: “Something you know.” A secret only the specific user knows (password, PIN, answer to a security question, etc.).
Possession factor: “Something you own.” A physical entity that the specific user possesses (smartcard, token device, key, etc.).
Inherence factor: “Something you are.” This is intrinsically unique to the specific user (face shape/features, fingerprints, voice, etc.).
So, if passwords are only one of the available types of authentication (specifically the knowledge factor), why not swap them for a different, more secure factor? It comes down mainly to two reasons: passwords are cheap to implement, and everyone nowadays knows what they are and how to use them. By contrast, consider the financial and cognitive costs of providing each employee with a physical token or implementing something like a fingerprint reader (not to mention the ethical difficulties with people rejecting the idea of having their biometric data stored somewhere).
Multi-factor authentication (MFA)
If completely changing the main factor of authentication is difficult, adding one or more extra factors to the mix has proven over time not only to be more achievable (especially following the rapid increase in smartphone sales in recent years) but also one of the most effective steps in enhancing the security of user accounts.
The number of factors used, their types, and their method of delivery have proven to be key differentiators in determining the likelihood of an account being compromised, with levels of protection reaching as high as 99.9% when using certain combinations of methodologies.
Let’s take a quick look at the most common types of multifactor authentication currently available.
OTP (One-Time Password):
These are unique sets of characters or numbers that are valid for a single login session or transaction. They are usually generated by an algorithm and delivered to a user. The most common delivery method is through SMS, but phone calls and emails are also used.
If the delivery is through SMS or phone call, the extra factor would be “possession” since only the authorised user should possess the authorised device/number.
When delivered through email, on the other hand, it is a “knowledge” factor, as only the authorised user should know the email account where the code will be sent and how to access it.
TOTP (Time-Based One-Time-Password):
TOTP is a version of OTP where a code is generated based on three elements:
A cryptographic hash function
A secret key
A moving factor (time)
The most common delivery method nowadays is through software applications (think of authenticator apps on your phone).
And if you ever wondered why you need to scan that QR code when adding an account… Well, that’s the secret key!
The extra factor for TOTP would be “possession,” as only the authorised user should possess the device where the code is displayed.
Push notifications:
Unlike the previous two methods, no one-time password is needed with push notifications. A user is sent a notification to their trusted device, and all they need to do is authorise or deny the request.
The extra factor for push notifications would again be “possession,” as only the authorised user should possess the device where the notification is sent.
And now surely they lived securely ever after… right?
Well….right-ish.
Implementing MFA is definitely one of the best steps forward in improving security, but it is not infallible. We can quickly rank the previously presented methods from weakest to strongest.
Method | Strength | Risk |
---|---|---|
Email OTP | Weak | This is only as strong as the method of authentication used to access the email inbox. If it consists of a single password that happens to be the same as our first authentication method, our level of protection would be pretty low. If the email is protected by multifactor authentication, the level of security improves significantly. |
SMS/Call OTP | Medium | A determined attacker could try to convince the victim’s phone carrier (if you think it would be hard to pass through their security, check out this video) to move the number to a new SIM card (SIM swapping) or intercept phone calls. However, this kind of attack would require significant time and effort. |
TOTP | Strong | An attacker would need a much more complex setup to intercept your code (which would likely be after you have entered it) or gain access to the TOTP produced by the authenticator, such as by stealing the security key (e.g., someone watching you scan the same QR code when setting up the authenticator). Such attacks would involve a significant investment of time and effort. |
Push Notification | Strong | An attacker would usually try to “tire” their victim by continuously attempting logins and flooding them with notifications, making them more likely to click “accept” just to make it stop. A way to mitigate this is to correctly implement push notifications by requesting the user to select or enter something specific that they can see on the screen. |
From the table above, it is clear that the type of factor chosen can make a significant difference to the level of security provided, as well as the number of factors used (the more, the better; best if chosen from different types, e.g., push notifications + biometrics using your phone’s fingerprint/face recognition).
One thing to bear in mind is that achieving a 100% level of security is not the goal, as this would be impossible. What we are trying to do is make ourselves harder to compromise so that attackers are less likely to invest their efforts in us and focus on those who are less savvy instead.
There’s a joke that summarises this well:
Two friends are walking through the woods when suddenly a vicious-looking bear starts walking toward them. The first man immediately opens his backpack, pulls out a pair of sneakers, and puts them on. The second man looks at him and says, “You’re crazy! You’ll never be able to outrun that bear!” To which the first man responds, “Oh, I know that. I don’t have to outrun the bear. I only have to outrun you.”
Moving beyond passwords
So now we have a better idea of how to protect ourselves through stronger authentication. This, however, does not solve our initial conundrum: we are still using passwords!
Well, the good news is that in 2012, an open industry association (FIDO) was founded with a clear mission to “help reduce the world’s over-reliance on passwords.” Since its foundation, it has grown to include over 250 members, including major names like Google, Apple, and Microsoft, and introduced several technologies that will help us finally get rid of passwords.
Password-less authentication has been with us for a while through methods like Single Sign-On (all those “Log in with Google” buttons you see) or magic links (enter your email address and get a link that will automatically log you in). But these methods just move the password somewhere else.
One of the latest technological advancements in this space seems promising enough to potentially remove passwords completely. It is called “passkey,” and the reason it looks so promising is that it does not require any passwords and is already natively supported by devices launched in the past few years (yes, your iPhone, Android phone, or laptop most likely already supports this!).
Passkeys work by registering a device with a service provider instead of using a user’s login information. The device must be able to produce encryption keys, which are used for authentication (a provider registers a device key and vice versa).
The bad news is that, at the time of writing, despite the high number of devices supporting the technology, service providers are still slow to adopt it. This may be due to the investment required and the risk that the new authentication method might still be too complex for less tech-savvy users.
Towards a more secure future
So, will authentication get better? Will we finally move past passwords and be able to buy our barbecue without going through an existential crisis?
If you ask me, the future looks bright, although it may still take some time. In the meantime, I can only suggest a few things:
Use strong passwords. Just because “123456” is the most used password in the world doesn’t mean you should use it too. (Need some help? Check out Correct Horse Battery Staple | Generate Secure Memorable Passwords).
Use a different password for each service. This is not Mordor, and we do not want one login to rule them all.
Use a password manager. This will make points 1 and 2 much easier to achieve.
But most of all, don’t make attackers’ lives easy—use more than one factor of authentication!
As a last piece of advice, check out Have I Been Pwned to see if your email has been compromised in a data breach. And who knows, if something comes up, it might be a great opportunity to put into practice all you’ve just learned.