Cyber Security: The Two Keys to Greater Security
Author: Markus Strehlitz
Password authentication involves risks and has become almost unmanageable for many users. But there are alternatives. Passkeys in particular offer more protection on the internet and are also user-friendly.
In our day-to-day life, we are confronted with a flood of passwords. It is not just when banking online or accessing the IT system at work that you have to authenticate yourself. Almost every online service and website you visit requires a login. And in the vast majority of cases, this is done in the traditional way: with a username and password. But as the number of passwords increases, so does the potential risk. Because this authentication concept has major weaknesses.
Often, people do not even follow the most important basic rules when dealing with passwords. Andy Schweiger, Senior Vice President for Global Cyber Security Services at DEKRA, explains what these rules are. “To be considered reasonably secure, passwords must be at least 16 characters long. And you should be using a different password for each account.” That makes one thing clear: “A password manager is essential for anyone juggling more than three accounts.”
Averting attacks from cyber criminals
But even if you follow these rules, password protection still offers a lot of weaknesses. In phishing, for example, cyber criminals try to obtain their victims’ access data by sending fake emails. These try to trick recipients into revealing their username and password.
But even with web services, sensitive information is not secure. Their databases can become the target of online attacks, leading to large amounts of access data falling into the hands of hackers. So-called brute force attacks pose a further threat: Hackers try all possible combinations until the correct password is found.
Two-factor authentication is secure, but complex
There are alternatives that can offer more security, however. These include two-factor authentication, as we know it from online banking. In addition to the password, another factor is required for authentication. This could be an additional one-time password generated by an app or a combination of numbers sent via text message. Access to the password alone is then no longer sufficient for criminals to gain access to the account. The disadvantage is that many smaller online services in particular do not yet offer such methods. On top of that, the registration process is somewhat more complex and time-consuming.
Multi-factor authentication involves a little more effort, but is also more secure. Here, additional factors are added when logging in. These could be biometric features, such as a fingerprint scan or facial recognition.
Biometric authentication on its own is also an alternative to password protection. After all, it is impossible to forget your physical characteristics and you always have them with you. But logging in with a fingerprint also involves risks, says Schweiger. “Theoretically, someone could copy a fingerprint that a user has left on their smartphone or another object and then use the replica to gain access to an account.”
No chance for phishing
This risk does not exist with passkey authentication, another alternative to the password concept. Here’s how it works: When registering or logging in to a service that supports passkeys, a key pair is created on the user’s device. The private key remains securely on this device – for example, a smartphone or computer. The public key is sent to the web service’s server. When the user wants to log in, the server sends an authentication request to the end device. The user approves the request using biometrics or the device PIN. The two keys can now be compared with each other and access is granted.
This method offers a whole range of advantages. There are no passwords, so they cannot be stolen. This means that phishing activities or data attacks pose no risk. The same applies to brute force attacks. In addition, passkeys are user-friendly because the user does not have to remember complicated passwords or deal with their administration. However, password managers can still be useful, for example by synchronizing passkeys across different devices.
New technologies take time
Major IT providers such as Apple, Google, and Microsoft already support passkeys. But beyond that, this method is not yet very widespread. Schweiger believes it always takes a certain amount of time for new technologies to become established. And both end users and companies are used to traditional password authentication.
The extent to which even more radical approaches, such as microchip implants or identification based on individual behavior patterns, could change authentication in the future is not yet foreseeable, says Schweiger. He believes that the use of passkeys is currently the most practical method.
The security expert recommends that companies look into this and other password alternatives. Companies can also receive support from DEKRA. The expert organization offers audits and risk assessments as well as employee training to educate about the risks of passwords and highlight the benefits of new technologies.