In recent years, there has been an alarming increase in the number of passwords a person must remember. While employees of small and medium-sized companies use up to 85 keys, according to a Lastpass report, those of large companies use about 25 on average. Tech giants like Apple and Google are trying to develop solutions so that users don’t have to memorize all these credentials and make sure they are secure. But will passwords as we know them today really disappear?
With its latest operating system for the iPhone, Apple has released access keys. Or, in the company’s words, “a password replacement.” “They are faster to log in, easier to use and much more secure,” says the company. This new system allows the user to access any application or service through Face ID or Touch ID — Apple’s facial recognition and fingerprint identification systems. That is, without entering any key by hand.
Among the advantages of access keys, Apple mentions that they are more resistant to phishing (a technique to get hold of a user’s personal and bank details by posing as a company or institution that they know). Josep Albors, director of research and awareness at ESET Spain, considers that this system is more secure than traditional passwords. “It prevents us from entering our credentials in fraudulent sites prepared to steal them, since the identification as users is managed in a point-to-point encrypted way between our device and the online service that we want to access,” he says.
How do Apple access keys work?
When the user creates one of these access keys, the operating system generates a unique cryptographic key pair to associate with an application or website account. Garrett Davidson, an engineer with the company’s authentication experience team, explains that one of these keys is public and stored on Apple servers, while the other is secret and remains on your device at all times. “The server never learns what your private key is, and your devices keep it secure,” he says.
Then, when the user attempts to log into one of their accounts, the website or application server sends a “challenge” to the device. The private key is the only one that can solve it. The public key is then used to check if the solution is valid, but it cannot crack the challenge by itself. “This means that the server can be sure that it has the correct private key, without knowing what the private key actually is,” explains Davidson.
Access keys are encrypted and synced across all your Apple devices using iCloud Keychain. If a device is used that is not compatible with this cloud storage system, a QR code is generated that must be scanned with the iPhone. Although this login method seems quite promising at first, not all apps currently support it.
The problems of traditional keys
Doing away with passwords is one of the main challenges for big technology companies to solve some security problems on the web. The FIDO alliance, which aims to ditch traditional credentials, involves companies like Apple, Google and Microsoft. Microsoft’s proposal, according to Albors, is very effective in replacing passwords with numerical codes that are generated by an app installed on the mobile, “although Apple’s wins in terms of convenience and user experience.” The Mountain View company has also been setting “the stage for a future without passwords for more than a decade.”
Among the disadvantages of traditional credentials, Fernando Suárez, president of the General Council of Official Colleges of Computer Engineering (CCII), points out that users must generate one for each service —or at least that is what is recommended— and memorize or save it in a key manager. But they don’t always do it. A Google survey indicates that 13% of Americans use the same password for all their accounts and 52% for several services (although not for all).
To this is added that the most used keys are “the simplest”: from “123456” to “qwerty” passing through “password” (password), “111111” or “i love you” (I love you), according to the Nordpass credential manager. “Replacing them with biometric systems, based on the physical characteristics of each individual, allows their identity to be authenticated quickly and reliably,” says Suárez.
Nuria Andrés, cybersecurity strategist at Proofpoint for Spain and Portugal, points out that passwords form a first critical barrier between the user, the attacker and a successful cyberattack. “Even in a best-case scenario, where a person accesses a web service with a unique and fairly strong password, it’s possible to launch a targeted attack that reveals those keys and leaves them in the hands of cybercriminals,” she says.
The limitations of a world without passwords
Faced with the potential of Apple’s access keys to end some password security problems, it is still early to assess its possible limitations. “By the way, one of the inherent problems with authentication systems that use biometric identification is that it cannot be changed,” says Albors. This is the downside of using something you uniquely own, like your face or fingerprints, versus something you know, like passwords. In addition, the expert points out that, in exceptional cases, someone could access a user’s account if he is capable of facial identification. A team of researchers from Tel Aviv University in Israel claims to have discovered a way to bypass a large percentage of facial recognition systems.
Suárez sees two possible drawbacks to Apple’s new system. For starters, biometric systems are not foolproof. “A password or PIN is required to be used as an alternative in the event that the biometrics do not work due to a broken camera or any other cause,” he says. In addition, “by storing the private key on the device itself, if we lose it, access to services based on this technology is not immediate.”
The end of passwords?
Despite the fact that for years several companies have announced the disappearance of traditional passwords, even today it is an unfulfilled promise. Jordi Serra, professor of Computer Science, Multimedia and Telecommunications Studies at the Open University of Catalonia (UOC), agrees that Apple’s proposal is not yet sufficiently implemented. “It’s a step further to be able to remove passwords in the short term, but it will still take time for these systems to become more usable and secure,” he says.
More than half of information technology specialists would like to protect their accounts through an alternative method to passwords and consider that the use of biometric systems would increase the security of their organizations, according to a report by the Ponemon Institute. Albors believes that traditional credentials will inevitably disappear because they are ineffective at protecting authentication due to the sheer number of online services and the tendency for users to generate easy keys and reuse them. When is still an unknown: “Although this date is getting closer, it depends on the acceptance of the different solutions that are currently offered.”