Future of Authentication
Summary of Beat the Hacker® Cybersecurity
Awareness Training Module
The problem with passwords
Passwords keep our accounts safe, but they aren’t perfect.
Here’s why
1. Strong passwords are hard to remember.
2. Simple passwords can easily be hacked.
3. Passwords should never be reused, so you need lots of them.
4. Simply write them down? What if you lose your notes?
Password Managers
What is it?
A software to help users create, save and use passwords.
Some examples
Some password managers are built-in to browsers and devices, for example Google Password Manager for Chrome and Apple’s iCloud Keychain. Others, like Bitwarden and 1Password are available as stand-alone software.
One password to rule them all
A defining feature is that you only need to remember one master password – which is for the password manager itself. All other passwords are saved within and easily accessible.
Single Sign-on (SSO)
SSO is similar to password managers – one single master password enables access to a large number of services.
With SSO, you first log in to a service like Google, Microsoft etc. Once in, you can seamlessly access other third party services with the same credentials (i.e. username and password).
In other words, you only use one username and password for all of your various accounts.
Multi-Factor Authentication
MFA adds extra layers of security by requiring multiple forms of verification before granting access. The idea behind MFA is that even if one factor is compromised (e.g., a password is stolen), the attacker still needs to provide the other required factors to gain access. Most services combine a classic password with one other verification factor. Here are some examples.
SMS and email
How wrong we were to think that SMS was dead. It’s back, in the form of a very popular verification factor. Emails with PIN codes are also common.
Authenticator app
In this case, an app is used to verify the identity. The app generates a unique code which is used to verify. This is considered safer than SMS or email.
Face or fingerprint
This verification involves a prompt from your PC or smart phone.
What are Passkeys?
A new way of logging in to online accounts, without entering user name or password. Instead, users sign in to apps and websites using their devices to verify them (fingerprint, facial recognition, PIN etc).
How to set up and use Passkeys
1. Log in to an account that supports passkeys.
2. Navigate to the security settings and choose “Add a passkey” or similar.
3. Select either which device you want to save the passkey on.
4. That device (or example your computer or phone) will ask you to verify the request, typically using facial recognition or PIN.
That’s it! You can add multiple passkeys, for example both your computer, phone and a security key. Here’s a link to further reading.
Security Keys
What are they?
Security keys are small physical devices, used to verify your identity. It can replace other multi-factor verifications like SMS or authentication apps.
How it works
1. A user signs in to an account.
2. The service asks for one more verification.
3. The user inserts the security key into the computer or phone to verify. Some security keys also support NFC, enabling a simple taps with their phone – just like paying with contactless.
Pros and cons with security keys
They are considered the most secure option. Apple recommends this option for celebrities, journalists, politicians etc. The disadvantage is that the security can get get lost or stolen. That leaves you vulnerable. Check out yubico.com if you’re interested in buying one.
