Passwords May Soon Be Passe: Passkeys Leveraging Face Or Finger Are Here

Passwords were always a pain — even in an earlier era when we could get away with 12345* or our date of birth or wedding anniversary or year of graduation written backward.

Now everyone wants you to create a password — not just for your email accounts but for every bank account, your provident fund account or mutual fund; access to ‘free’ news sites, every online buying portal, your frequent flyer account, your access to IRCTC to buy a ticket, your home broadband and WiFi access… we end up having to remember some 25 passwords on average.

And the conditions have become more complex: “At least 8 characters, at least one upper case, one lowercase, one special character…” 

To bring some relief, password managers are available, which offer to remember all your passwords and invoke them when required. But you need a master password to open the password manager — and what if someone hacks that and gets all your passwords at one go?

CheckPoint, the cyber security company, in a recent advisory tells us our passwords must be long, the more varied the better, easy to remember and complex to guess, unique and unrepeatable — and private. And yes, change it frequently. 

A tall order. But there are dire warnings: “Every day, cybercriminals create new attacks aimed at stealing user passwords. Techniques such as phishing have managed to breach thousands of services by stealing credentials…” 

Artificial Intelligence has armed cyber criminals even as it empowers legal users and hacking passwords is easier than ever.

To make it a little more difficult for ‘Net Baddies’, they have added two-factor authentication these days:  You type in your password, then they send another one-time password or OTP, a string of numbers which could be up to 8 digits long to your registered email or mobile phone number which you much enter.  

After all this, there is the Captcha test where you need to decipher weirdly designed numbers or letters, do elementary math or count all the coconut trees or traffic lights or whatever in a panel of thumbnail photos. 

It takes me on a good day, two minutes to open my savings bank account page or credit card statement. Making a payment takes me into another chakravuyha of passwords and OTPs. 

Many lay users of online services are rebelling at all this: life is too short to spend on such unproductive activities. Safety yes, but at what cost?

Passkeys, An Industry Initiative

Someone somewhere has heard our unspoken curses, which is why last year, the Fast Identity Online (FIDO) Alliance of security specialist players, along with Apple, Microsoft and Google began working on a simpler, safer alternative to passwords.

Some FIDO techniques are already being offered to us by mobile phone makers: you can secure your handset with your thumb impression or a scan of your face, or by tracing a pattern on a grid of dots.

Now, a year after the industry came together, the first tangible result was announced by Google on World Password Day earlier this month.

It’s called Passkeys and it is touted as 'the beginning of the end of the password'.

Google explains in a blog:

Today, Passkeys are available for all Google accounts and can be tried out at  g.co/passkeys.

Of course, being able to access your Gmail and other Google tools with Passkeys will help — but there are dozens of other scenarios where passwords will continue to pop up as pain points.

Karmendra Kohli, CEO of SecurEyes, an Indian cybersecurity company suggests that passwords will continue to be “the first line of defence against hackers, attacking our data and information.”

 In an article to mark World Password Day 2023, he provides some sensible hints about password storage, alternatives like smart cards, upcoming technologies like behavioural biometrics — analysing a person’s patterns of behaviour, like how he or she uses a keyboard or mouse — or multi factor authentication — combining two or more authentication methods, to make them harder to breach.

He suggests: “Blockchain (the distributed database shared among a computer network's nodes) is set to change the way we manage passwords. Its Distributed Ledger Technology (DLT) along with digital identity verification could be the answer to online privacy and password breach concerns”.

All this in the future.   

Manikandan Thangarajan, Vice President of Manage Engine, the Zoho group enterprise says: "Despite passwordless authentication being a recent trend, passwords will definitely continue to serve as the simplest and most effective means to secure identities in 2023."

For now, Karmendra Kohli shares the earthy advice of American entrepreneur and TV host Chris Pirillo: “Passwords are like underwear: you don't let people see it, you should change it very often, and you shouldn't share it with strangers.”