In 1961, when MIT was leading the computing activity and innovation in the world, their computer scientists, under the direction of the mastermind, Professor Fernando Corbató, built a giant Compatible Time-Sharing System (CTSS). The system allowed multiple users to access a shared mainframe. It was around the same time, passwords were born. When several users wanted their own private access to the terminals, Corbató created the first digital password as a problem-solver. The birth of passwords also introduced the concept of login and authentication in the digital world.
The First Password and the Case of First Password Theft
Allan Scherr, one of the CTSS researchers, wasn't happy with the hours allotted to him on the system to complete his work. He wanted more time and he started looking for loopholes in the system. His privileged system access to one of his projects helped him buy unlimited access without getting discovered. But when his project concluded, he lost his privileged access, but soon enough he found another loophole that gave him unlimited access to the system. All he did was submit a simple request to the system to print out the master password file. In 1966, Scherr obtained a complete list of everyone else’s passwords and became the first computer password hacker.
Passwords Have Security Flaws
According to Corbató, this whole story demonstrated the limitations of password security. In 2014, Corbató was in an interview with the Wall Street Journal, where he called passwords “kind of a nightmare.”
Corbató’s passwords were born not for high-level security but were meant to be a mechanism to keep users’ files distinct. And when Scherr played around with the system, it became known that passwords can easily be breached.
Passwords are security threats — that was true in 1961, and it’s still true today.
From that time to now, digital identity and authentication systems have evolved, but passwords remain largely the same — risky and vulnerable. As computers became more accessible, hackers started to target more frequently with increased intensity and improved sophistication.
The Digital Identity Crisis: The Problem with Password-Based Identity
In 2021, the Verizon Data Breach Investigations Report revealed that 89% of web application breaches were caused by passwords through stolen credentials or brute force attacks.
Hackers employ attacks on passwords to steal the identity. The compromised data is then used to breach an organization's resources and access sensitive information. It was not until hacking became serious and widespread, there were global talks of replacing password-based identities with alternative methods that provide more secure means.
Over the past few years, authentication has improved only in terms of augmenting the protection of passwords. But cybercriminals continue to use a wide range of techniques and procedures to gain unauthorized access by breaking into password-based identities. Traditional multi-factor authentication (MFAs) that were designed to protect the password-based identity end up relying on passwords as the key factor of authentication. The second factor also is often vulnerable to password-based attacks.
While MFAs were developed to protect from attacks on weak and stolen credentials, attackers could still work their way around the additional factors that are in use today through effective social engineering. Attackers can send MFA requests over and over again to the user’s device until the user accepts it, allowing the attacker to gain unauthorized access to the system.
Additionally, phishing actors cheat users into giving up their credentials by using man-in-the-middle pages and reverse proxy tools. The legacy MFA that involves voice calls, registering phone numbers for SMS text messages, or supplying one-time codes is vulnerable to phishing attacks due to password-based identity.
That said, the problem is not with passwords alone; the root cause is the way customer identity has been designed. Digital identities today are extremely simple to understand, portable to convey, and discrete, which makes them stealable. Due to this simplified nature of digital identities, they solely rely upon strong passwords, a secret that no longer remains a secret as soon as it’s typed on a computer connected to a network.
With rising incidents of password-based security threats, governments across nations are now emphasizing a password free cryptographic customer identity for stronger authentication and access control.
Password Free Future: The Business Case
A 2023 study conducted by the Thales Group reveals that over a third of businesses (37%) across the globe have experienced a data breach in the last 12 months. And most of the incidents had the employee as the weakest link in the security chain. More often than not, it is through unknowingly small but harmful mistakes – such as weak, easy-to-remember passwords. With hybrid working becoming the new normal, it opens up a new host of cyberattack opportunities.
In 2002, at the RSA Conference, Bill Gates predicted the death of the password. He stated: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
With an increasing number of password-based cyberattacks, the verdict is clear − passwords have outrun their course and now it’s time to navigate the future of customer identity through password free and cryptographic identity.
A Futuristic Approach to Customer Identity
Password free and cryptographic identity along with the adoption of the Zero Trust Model based on the principle “Never Trust, Always Verify,” is the way forward. This new approach to identity fraud and data breach prevention enables digital trust and privacy for everyone while ensuring secure and painless experiences.
A password free identity helps in achieving mutual authentication and MFA that provides the following:
An integrated identity - authentication approach
Complete elimination of passwords
Control over which users and devices can access sensitive information
A frictionless and consistent login experience across all supported devices
The three easily recognizable benefits of password free identity include:
Identity cannot be compromised
Security isn’t dependent on a secret that the user has to protect
Users need not be educated about passwords, and admins need not create and enforce password policies
The most commonly used password-less authentication systems such as touch IDs, retina scans, and face recognition are hackable unless they are used with a password free digital identity. A truly multi-factor authentication stack must be done only after a successful mutual authentication between client and server. We are moving to cryptographic digital identity to provide authorized users with seamless and secure access. Cryptographic tokens have an advantage of being used across multiple platforms and devices.
Embracing a Password Free Digital Ecosystem
Password free and cryptographic digital identity will lead to a password free digital trust ecosystem that thrives in Identity, Authentication, Access and Authorisation without passwords. This ecosystem will be the key to securing identity for everyone and everything in the digital era.
The future of customer identity lies in embracing password free and cryptographic identity ecosystems. Relying on password based identity has proven to be risky and vulnerable, leading to numerous data breaches and security threats. Governments and cybersecurity experts are urging organizations and individuals to adopt password free identity to enhance security and prevent password-based attacks.
Passwords are still dominant but now it’s time to question the norm, scrutinize the password-based identity design, assess password free digital identity systems and begin investing in these advanced security measures to take the battle away from password-based environments. We are increasingly heading toward a password free future. The good news is that password free and cryptographic identity is not a futuristic dream, the technology is already here and it is in use.
FortyTwo Labs Leading the Way
FortyTwo Labs has been working with enterprises, banks, governments, and defense units to transform their password-dependent identity environment into a password free and quantum-safe digital trust ecosystem. Through its patented I-AM® technology, it has been delivering password free, cryptographic identity, authentication, and zero trust access.
Contact us to learn more about how FortyTwo Labs can help you build a password free and cryptographic identity ecosystem.
Comments