Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
With passwords forming the primary line of defence between personal, sensitive data and cybercriminals, they remain steadfast in the fight against fraud. However, is their future uncertain? We asked several industry experts to get their thoughts on the future of password security.
Consumer vs Business
Michael Crompton, Founder & CEO of Forghetti, said:
“There are currently two very different sectors in password security – consumer and business. There are numerous business sector solutions available that are primarily focused on using a single sign-on to then access multiple systems without passwords securely.
“These are not available to the general public, both due to cost barriers of entry and technical know-how, and this is the challenge of the future. As the weakness in all systems is the users inability to maximise their security. It takes effort.
“Currently the solution for consumers is provided for by Google and Apple with their keychains and password vaults. This is certainly much better than having passwords written down, but one should ask if it makes users even more reliant on these big tech giants. With many people have a mix of technology in their households the systems need to work so that users can share passwords securely across any devices.
Ultimately the Apple and Google solutions are still also based on the same principal technology, storing passwords in an encrypted vault which is itself secured with a password.
“The future of passwords is to enable users to forget passwords completely. Biometrics can take us one step towards this, however when the biometrics fail (due to damaged skin, or face masks for example), the fallback is a password or PIN number.
“Given that the average person has over 100 services that they log on to, and this is an ever-growing number, we need to enable people to be able to login to all types of services, not only those using cutting edge technology. A service like forghetti does this well and asks the user to remember a simple doodle rather than any passwords at all. With future developments, the ease of use of this type of system and the integration of biometrics to support this, paths the way for a very peaceful and secure mind.
BitK, Ethical Hacker at YesWeHack, said: “Securing your systems with complex passwords is the first line of defence and cannot be overlooked.
They continued: “While it may be easier to use the same password across multiple accounts, it also plays into the hands of hackers who only need to gain access to one in order to infiltrate every account.
“Researchers have displayed, that good security is found in the length of a password and using a password of 12 characters will make a substantial impact on your accounts security, rather than opting for the typically recommended 6-character versions with the use of a special one. The method we’d recommend would be the use of full sentences, including spaces. For more advanced password security, incorporation of foreign characters in passwords should be strongly considered, as this is usually overlooked by hackers.
“The future of password security should involve widespread adoption of longer passwords and diversification of passwords used across accounts. With password managers now widely available, the difficulty of remembering more complex passwords is no longer a concern for most users. Although it should be noted, that with many more organisations and online platforms such as online banking now implementing two-factor authentication as industry standard to increase protection, the reliance on a single password is lessening.”
The Effects of Remote Working
Caroline Wong, Chief Strategy Officer at the cybersecurity company Cobalt believes the continuation of remote working will see even more emphasis on password security and best practices in organisations.
“The pandemic led to a remote work culture most organisations were not prepared for in terms of security and technology,” she said. “Companies of all shapes and sizes were forced to step up their cybersecurity game to manage the increased risk of insecure home Wi-Fi, employees using their personal devices for work activities, and insecure password management on said devices and remote access accounts.
“Password vulnerabilities are a critical issue. According to GoodFirms, a whopping 30% of IT professionals reported password leaks and security breaches due to poor password practices and weak password setups. To address this growing concern, I’ve seen more and more companies encourage the use of strong, unique passwords, which are the first line of defense against cybercriminals breaking into online accounts and stealing data.
“It’s imperative that organisations and individuals store passwords in a way that prevents them from being obtained by an attacker – even if the application or database is compromised. Password managers provide a secure place to store passwords and easy access to them. I expect the use of password managers will become even more prevalent in 2022.
“In 2022, we will also see the increased utilisation of Multi-Factor Authentication (MFA). By requiring one or more additional verification factors, MFA enables organisations to decrease the likelihood of a successful cyber attack.
“Also, I anticipate an increase in cybersecurity awareness training and programming at both the SMB and enterprise levels. Cybersecurity training ensures your best wall of defense – your teams – know the basic password do’s and don’ts.”
Craig Lurey, CTO and co-founder of Keeper Security, a password manager, believes “password fatigue” could be a real issue.
He said: “The immediate future of password security is going to be a larger shift towards tech that automates password security protocols on its own.
“Password fatigue is real – everyone is sick of creating a new, strong, unique password. And then having to remember it. We’re going to see a movement to password management software that takes the burden of password creation and memorisation off of consumers.
“We’re also going to see more widespread adoption of two factor authentication (2FA). Most of the top players already have this as an option, but it may become mandatory for websites seeking to avoid large scale data breaches as cybercrime rises. 2FA will also become mandatory internally for many businesses, both big and small, as employees shift permanently to remote or hybrid work.
“Also, with this shift to permanent remote or hybrid work, smaller businesses will begin adopting password management systems for all team members. Employees are often using both personal and work devices, which can lead to cross-contamination of personal and professional passwords, creating opportunities for cybercriminals to infiltrate the entire organisation’s system.”
The end of passwords altogether
The CEO of authID.ai, Tom Thimot, believes the future of password security is “one without passwords altogether.”
“The term “password security” implies that passwords can be truly secure, but the staggering, rising rates of successful password phishing and spraying tell another story. Given widespread password reuse, conventional user-generated passwords can no longer sufficiently protect against the many highly skilled cybercriminal networks. As such, organisations of all sizes and industries should reject passwords as a critical part of digital security. Facial biometrics – the use of one’s physical attributes to verify identity – is the modern alternative for which the market has been yearning,” he said.
“Also called “facial mapping”, facial biometrics is already well on its way to overtake vulnerable, legacy security tools like one-time passwords and knowledge-based authentication (think, your mother’s maiden name or the make of your first car). Biometrics simplifies a person’s facial topography into an encrypted, anonymised mathematical code, securing the assets or account being accessed while protecting the user from nefarious digital tracking. This technology addresses passwords’ fatal flaw: There’s no need to remember anything and, when combined with liveness AI, can’t be easily spoofed by bad actors.
“Already, tech behemoths and U.S. federal agencies have deployed facial biometrics to better secure their platforms. We’re also seeing considerable interest across industries: In our 2021 Fintech Security Report, a market survey we conducted with top fintech and banking leaders, we found that 75 percent of executives are somewhat or highly concerned about the risks associated with legacy identity protection options. Seventy percent are also likely to consider facial biometric identity authentication as an alternative during the next year. We at authID.ai see that the future of password security is already here. And the market couldn’t be more excited to wave goodbye to passwords altogether.”
Elad Sherf, Global Head of Defence at Performanta, agrees with this, saying:
“The future of password security is, frankly, that they will cease to exist. We’re heading into a ‘password-less’ future, with organisations and websites seeking other ways to identify you going forward.
“The revolution of readily available biometrics with our phones now able to scan our faces or fingerprints will change the way password security works entirely. This is a huge trend that will continue in 2022 and beyond, and it makes perfect sense.
“Put in a real-world scenario, password security seems so weak. Imagine the vaults of Fort Knox unlocking after someone says or types in ‘the magic word.’ It’s so rudimentary that it seems almost crazy how an inordinate amount of data is relying on being kept hidden behind this basic level of security.
“Biometrics is one way password security is set to change, but with artificial intelligence now stronger than we’ve ever seen it before and advancing rapidly, we could see a whole new league of security developing in the coming years.
“We’re getting to a stage where a system will soon be able to simply recognise you. It will do so by identifying the user behaviour and associating it with you just being you, smartly tracking your words, activity and everything you do with the system you’re using.
“From a cybersecurity perspective, this is far safer than a rudimentary password, and certainly needed in the current climate with attacks rising exponentially year on year.
“One of the key benefits of a password-less future is that we move beyond two (username & password) or three (including MFA) pieces of information to identify a user, moving to posture and telemetry based authentication method will allow us to provide far more granular levels of security access depending on these. This is ideal in a world where zero-trust is quickly, and rightly, moving to the forefront of security managers ‘to do’ list for the year. Granting a user access to certain systems based on posture information is ideal – for example you can check email on your phone, but only log into your finance system on your work provided laptop.
“The question remains though as the best way to start to implement this to your organisation.”
However, James Bore, Director, Bores Consultancy disagrees with this entirely.
He concludes: “There’s a lot of talk about passwordless, smart cards, dongles, tokens, and similar, and there might be something in that. However I don’t believe the password is going anywhere fast – the concept has been with us for millennia and while it has serious flaws to paraphrase a certain politician, “passwords are the worst form of authentication, except for all the others that have been tried”.