(Toronto) Anna Pobletts has spent the past few years on a mission to make passwords a thing of the past, but passkeys—the technology that could replace them—have never really been on the cusp. be widely adopted by consumers before this year.
“We see very large sites like eBay, Best Buy and Google, which announced in early May that it would support passkeys on Gmail accounts,” Ms.me Pobletts, head of “passwordless” at 1Password, a Toronto-based password management company.
“It’s really a tipping point, when all of a sudden, a billion users can add access keys (to their Gmail account), if they want to. »
Gmail’s decision followed those of Apple, Shopify, Microsoft, DocuSign and PayPal, which already supported passkeys – a digital ID that relies on cryptography that can unlock accounts simply by “reading » a face or fingerprint on a phone.
Specialists believe that access keys are more secure than passwords since they do not include strings of characters, numbers and symbols to remember, which makes them more difficult to hack. They do not need to be changed and cannot be stolen by someone guessing at them or peeking over a user’s shoulder. Also, there is no way to use one accidentally or on the wrong website.
“Access keys are so exciting because they are […] actually more efficient and safer,” argued Claudette McGowan.
After 19 years at the Bank of Montreal and nearly three years at TD Bank, Mr.me McGowan recently founded Protexxa, a Toronto-based platform that leverages artificial intelligence to quickly identify and resolve employee cybersecurity issues.
During his years in banking, passwords were the main vulnerability.
“When things went off the rails, it was never because the encryption wasn’t working or the firewalls weren’t working,” Ms.me McGowan. There was always a human at the center of the problem. »
Access keys, however, are a defense against phishing attacks, where people are tricked into giving their passwords to hackers who email or text them with login pages posing as companies. legitimate.
Solution to Phishing
All 2,000 respondents to an online survey conducted for 1Password in January said they had received a phishing message in the past year, or knew someone who had received one.
Access keys make phishing attacks obsolete largely because of their structure. Access keys, according to 1Password, have two mathematically related parts: a public key shared on a website or app with which one has an account, and a private key that always stays on the phone.
When logging into an account, the website or app server sends a scrambled “riddle” that can only be resolved by the private key, which is then allowed to be resolved by a user’s biometrics. Once the riddle is solved, the service knows the correspondence between the public and private keys and logs the user in.
It is not possible to reverse engineer one of the two keys from the other. Without physical access to devices and a way to unlock them, such as using a fingerprint or face, no one can log into password-protected accounts.
So why didn’t the world rush for access keys sooner?
“Passwords are a 60-year-old technology,” said Andrew Shikiar, CEO and Chief Marketing Officer of the Fast IDentity Online (FIDO) Alliance.
“It’s hard to replace them because they’re really ingrained in everything we do and they have the advantage of being ubiquitous. You can enter a password anywhere and you know how to do it. »
Passwords became the norm in part because of the late Fernando Corbató, a computer scientist at the Massachusetts Institute of Technology (MIT).
In the 1960s, MIT researchers like Corbató used a compatible time-sharing system (CTSS), where users from different locations could simultaneously access a single computer system through telephone lines.
The model didn’t offer much file privacy, so Mr. Corbató developed the password, which was eventually adopted by just about every company looking to protect access to their files and systems.
But the FIDO Alliance, a global group aimed at reducing data breaches, would like to disrupt this reliance on passwords.
“The vast majority of data breaches are caused by passwords, so really, by solving the password problem, you solve the data breach problem,” Shikiar argued.
And the FIDO alliance has many allies in its fight.
Its members include 1Password, Google, Apple, eBay, Amazon, Twitter, Facebook owner Meta and PayPal, American Express, Sony and TikTok. 1Password will begin supporting passkeys on June 6 and will allow users to unlock their 1Password account with a passkey in July.
Some have joined because they see people abandoning their online shopping carts when they can’t remember their passwords, while others just want to make their products more secure or use them. easier for customers.
But adapting websites, apps, servers and more to accept access keys “can be tricky,” Ms.me Pobletts.
“It’s obviously more complex than passwords, partly because it’s new. »
Education and adaptation period
The FIDO Alliance has created standards to help businesses make the switch, and Mr. Shikiar is confident that household names embracing technology will inspire others to adopt passkeys.
But for the technology to truly be a success, the public will need education, Shikiar and Ms.me Pobletts.
1Password’s survey found that only a quarter of respondents had heard of passwordless technology and 42% are not yet using biometric login.
Some have misconceptions about how either technology works, Ms.me Pobletts.
“Sometimes people don’t realize that biometric data is not sent to websites. It’s not stored by Apple and no one really keeps the fingerprint data or the retina scan,” she explained.
“But once people know and understand that biometric data is safe […], they are really comfortable with it. »
Shikiar also expects people to adapt to access keys, as they won’t all be implemented at once.
Many companies will encourage customers to try them out while maintaining a password, which they will rely on less and less over time, before this technology is completely phased out.
“There’s a happy inevitability about that,” he said, adding that he thinks within the next three years most services will offer passkey support.
“No one is begging ‘oh my God, give me more passwords’, whether it’s a consumer or a business. Everyone is ready to get rid of it. »