Passwords, no matter how long or complex, just don’t do the job anymore. The move towards passwordless identification is unavoidable, a top Dashlane executive told Cybernews.
Security firm Mandiant had its X account taken over recently, something that might have been avoided with a simple 2FA setup. The result? A crypto scam spread from what was supposed to be one of the industry’s most trusted sources.
When even security pundits can’t properly secure their accounts, how can they expect it from us? The vast majority of people are cybersecurity amateurs who, despite knowing the dangers, don’t want to spend too much time thinking about online security.
We still haven’t learned the basics of good password hygiene, and combinations like 123456, 123456789, and qwerty remain humanity’s favorite passwords. And we might not have much time left to improve, as passwords are about to go extinct.
Moving past passwords
“There's a lot happening in the industry at the moment. [...] There is a common movement and momentum and a wish to move past the password,” Fred Rivain, Chief Technology Officer at Dashlane, a password manager company, told Cybernews.
For the moment, moving past the password means a push towards passkeys. Companies like Microsoft, Google, Amazon, and Bitwarden, among many others, have taken steps to urge passkey adoption.
“Passkeys are stronger and more secure than passwords, cannot be guessed, and are resistant to phishing,” Bitwarden recently said.
Passkeys let a user sign into their account without typing in a username and password but using their fingerprint, face scan, or a device screen lock instead.
“We have a technology that's still a bit nascent, and it's still early days, but at least everybody is supporting it. There are more and more websites supporting passkeys. 2024 is going to be kind of the year where you see a shift where most key online services are going to start supporting passkeys,” Rivain said.
In December, Dashlane announced that it was about to become the first credential manager to eliminate master passwords and introduce passwordless login to all customers throughout 2024.
“We want to be also in that passwordless world and provide an experience that is both more convenient but more secure,” Rivain said.
“The enterprise market is now very aware. There have been enough breaches and incidents in the past that made them understand that it's critical for security to have proper practices,” Rivain said. “They understood it. It doesn't mean that they're acting yet.”
Unfortunately, that’s not the case when it comes to individual users. It’s not even reasonable for the security pundits to expect everyone to have done their homework and protect their accounts the best way they can.
“It's going to be more of an organic change in practices just pushed by companies like Google, Apple, Microsoft, because they're owning all the ecosystem and they're owning the operating system. They're going to slowly force customers to have different practices,” Rivain added.
When big companies like Google make a push towards passkey support, naturally, smaller players follow suit. It means that individual companies will eventually be forced to adopt better security practices; otherwise, they won’t be able to use the online services provided by other companies.
Quantum beast approaching
But there’s something else bothering security experts more than weak password practices.
The threat of quantum computers threatening to break current encryption and spill secrets used to make the headlines before the sudden boom of AI. However, even if it’s no longer grabbing public attention, it doesn’t mean it’s not there. If anything, the quantum risk is now bigger than ever.
“The risk of data theft by hackers and rogue states is palpable, as they’re already collecting and preserving encrypted data to decrypt it in the future,” Rivain said.
The National Institute of Standards and Technology (NIST) is set to announce post-quantum cryptography algorithms sometime this year. Companies like Dashlane, promising and protecting a treasure trove of user data, are looking into how to implement quantum-resistant encryption.
The company has already developed a “working post-quantum sharing mechanism” that’s cross-platform compatible, meaning that it functions when credentials are shared between their Android app and a web extension.
Next, Dashlane promises to do a prototype on iOS, the latter being its third most popular platform, and to make sure they have “quantum-resistant sharing working across all their platforms.”
While all eyes are on NIST, and companies, including Dashlane, don't want to work on implementing a quantum-resisting algorithm that might not be standardized, everyone should be prepared for the so-called Q day, when quantum computers are finally a reality.
“Everybody is waiting. When it's going to happen, everybody is going to freak out,” Rivain said.
More from Cybernews:
Subscribe to our newsletter