In the media

It's time to take a modern approach to password management

By Raul Zeppenfeldt Molina

InfoSecurity

08 January 2024

Our world has rapidly moved towards digitalization, enabling individuals to carry out more than 90% of their daily tasks via mobile apps or web pages. From paying bills, booking flights, attending health consultations to possessing a full map of one's DNA lineage; digital platforms have made life easier than ever before.

However, the average person owns around 35 accounts linked to a traditional string-based password, which serves as the primary, and in some cases, only way to safeguard their personal information.

Transitioning to a Passwordless Future

In December 2023, the biotech company 23andMe experienced a security breach that affected almost 7 million users. Hackers exploited string-based passwords that had been leaked publicly. This situation highlights another worrying fact: A Google report indicates that over 56% of individuals reuse the same passwords for different digital platforms.

While users are encouraged to create strong and unique passwords for each account, remembering them all can be a daunting task. Additionally, the continuous enforcement of multi-factor authentication (MFA) leads to user fatigue and muscle memory, reducing the efficacy of this control.

These practices will soon become outdated as the industry moves towards a decentralized model where users can transact using portable verifiable digital credentials (VCs) such as your personal details, secured by passwordless authentication and authorization.

For example, Governments are considering the possibility of unifying their citizens' digital credentials. This would allow users to access public services, like financial support or tax information, by utilizing their unique government-issued verified credentials.

On the other hand, educational institutions are exploring the use of VCs to provide access to digital learning content and to verify up-to-date student qualifications and skills, hence streamlining onboarding process.

This modern approach will eliminate the need for filling out tedious registration forms and memorizing fixed passwords, making transactions more accessible and secure, reducing end-user friction and time to consume a digital service. Moreover, people will have complete control over the personal details recorded by the digital entity they are transacting with.

This will allow the digital consumers to conserve control of their credentials in a digital wallet on various personal devices, such as smartphones, wearables and even physical keys. A biometric gesture, such as fingerprint, voice or face recognition will secure this wallet, and VCs will always stay with users. Only the users will be able to release their VCs or retrieve any personal detail (right to be forgotten), and authentication will be wholly decentralized without involving passwords.

Decentralized Identity and Verifiable Credentials Across Sectors

The use cases are vast, involving almost every sector such as HR employee management, educational institutions, health care providers, government and fintech. They are all progressing towards decentralized architecture to use user-centric VCs as identification, authentication, and authorization mechanism.

Standards for decentralized identity are being advocated by recognized bodies such as W3C. While regulations and other aspects such as authorization, role, and attribute-based access are still further developing, businesses and institutions now have the opportunity to create interoperable designs that can seamlessly integrate with this new model.

In this architecture, the most trusted identity providers are likely to play a dominant role as decentralized issuers (DID), which will be crucial for the adoption of VCs. Users are more likely to trust these established brands to certify their digital credentials. However, new vendors, brands, and institutions may emerge to compete in this space and position themselves as market leaders.

Furthermore, a witness ledger, which offers traceability and trust of VC transactions, will likely be supported by a technology similar to blockchain network but more eco-friendly. This will enable digital merchants to verify the credibility of a credential, and ultimately their potential customers. This component will also serve as a trusted source for privacy disputes and enforcing regulations.

Enhancing Security and Efficiency

By adopting this approach, organizations can take proactive steps to ensure the safety and security of their customers' and users' data. This will eliminate any potential risks of email phishing or brute force attacks, while also removing the risk of a password breach.

Additionally, organizations can streamline their operations and reduce operational costs associated with managing outdated password information and account recovery. This approach also helps organizations to safeguard personal and private data, reducing the liability and exposure to potential security breaches.

It is well and truly time to embrace a more modern and dynamic approach to password security and leave behind “Qwerty123!” or the birth year of your child. A portable account and passwordless vision is the more secure option for businesses to grasp, and fast, before we see more sophisticated password breach incidents taking place in 2024.

This article was first published in InfoSecurity 

Explore more

Contact the team

We look forward to hearing from you.

Get actionable insight straight to your inbox via our monthly newsletter.