As we all know passwords are a pain to use because they are difficult to remember. So many people get lazy and reuse passwords over and over again. This practise is very dangerous and hackers thrive on it. Most IT professionals recommend never reusing a password, using long passwords and a password manager to remember the passwords. Many will also advise to use multi factor authentication whenever available. This just means more verification is required to login such as a PIN sent via a text to your smartphone.
What if I told you that you can get away from the PAIN of passwords and the concern about how the online websites store them and hackers steal them? No passwords and no way for hackers to steal your credentials from the web site…it sounds to good to be true.
Introducing WebAuthn
All major browsers support it. Microsoft announced in November 2018 that their users can in to services such as Outlook, Office, Skype and Xbox live using this new method. With this technology you do not have to trust the website with a password or any secret such as your mother’s maiden name. This alone will make it more difficult for hackers.
Authentication
This uses something called public key encryption technology which authenticates you using a private key and public key pair. The private key is a secret that only you have stored on your PC/smartphone/etc, while everyone in the world can view the public key. The keys are different for every website and every user. This private/public key pair idea has been around a long time and is used all the time, mostly behind the scenes. For example anytime you browse a website with a lock to secure your interaction with the site you are using this technology. It has just not been used for user passwords by major players on the web until recently.
How does this work from a user perspective?
- You use your browser to go to a website like you do today;
- Behind the scenes the website will request authentication and your browser will pass this on to software on your PC called an authenticator (which stores the private key);
- The authenticator will then prompt you to grant permission.
How you grant permission does not matter to the website or authenticator. Some people might use a fingerprint scanner, some face recognition, some a PIN/password, others a biometric device or even a combination of the other methods; - Once authenticated you are logged in; and
- You have proved who you are without any secret leaving your possession.
Now it is up to the web sites designers and admins across the web to integrate this feature as Microsoft has already done. This may take a few years and I am looking forward to not using passwords.
For more information on cybersecurity and how you can keep you and your staff safe, contact TELECO’s sales team at 807-346-7264 or use the Contact us form.