Passwords are like the
cockroaches of the internet.
They really, despite all of our best
efforts, are very hard to kill off.
And companies have been trying
to do it for years.
The average office worker in the United
States must keep track of between 20
to 40 different username
and password combinations.
With so many passwords to remember, it's no
wonder why many of us use the
same ones over and over, or have
a running list of passwords saved somewhere
on our computers, phones or notebooks.
Passwords are a very serious
and expensive security risk.
It's why companies like Microsoft, Apple and
Google are trying to reduce our
dependence on them. But the question is,
can these companies break our bad
habits? Passwords, by themselves,
are just not that
secure. In a 2015 interview with
John Oliver, Edward Snowden explained just
how easy it is to
crack a typical password.
Bad passwords are one of the
easiest ways to compromise a system.
For somebody who has a very
common eight character password, it can
literally take less than a second for
a computer to go through the
possibilities and pull
that password out.
I think we're going to have a no
passwords future because it just gets rid
of a lot of problems.
You never know when the bad guy has
your password, at the end of the day.
That's Kevin Mitnick. He's pretty well
known in the hacker community.
I started off many, many years
ago as a black hat hacker.
I wasn't hacking to cause
harm or to make money.
It was all about the intellectual
challenge, curiosity and seduction of
adventure. And then I pushed the envelope, and
I pushed it so far, I became
the world's most wanted hacker.
And I was pursued by
federal law enforcement agencies.
And they eventually caught up with me and
I ended up serving five years in
federal prison. Nowadays, Mitnick says
he's an ethical hacker, assisting
companies to identify their security
vulnerabilities and helping to fix
them. And finding your usernames and
passwords, it's much easier than you
might think. There's a site
out there called weleakinfo.com.
So what weleakinfo is, it's a site
that has aggregated a bunch of data
breaches. And so what happens is
the data, namely your username and
passwords that are on these data
breaches, get aggregated because they're
publicly available.
And there's sites like weleakinfo, that kind
of make it like a Google, where
you can actually just put in an email
address of yourself or a friend, and
all the prior data breaches that
contained your username or your email
address, it actually
reveals the password.
All it takes to find the site is
a quick Google search, and users can get
access to more than 10,000 data
breaches for as low as $2.
And it's not even the only
website to offer these services.
Simply put, passwords are not fit
for purpose for today's networked economy.
They present challenges to consumers in
the sense that they're either hard
to remember or they're too easy to
remember, in which case are easier to
mimic and steal. For businesses, they
represent a huge liability, in the
sense that the vast majority of
data breaches are caused by passwords,
either passwords that slip from an employee
and expose a database or allows
other bad actors to
get into their systems.
So passwords present challenges
across the board.
A report that looked at 2,013 confirmed
data breaches found that 29 percent
of those breaches involved the
use of stolen credentials.
In another study, researchers found that the
average cost of a data breach
in the U.S. was more than $8 million.
And even when passwords are not stolen,
companies can lose a lot of money
resetting them. Our research has shown
that the average fully-loaded cost of
a help desk call to reset a password
is anywhere between $40 or $50 per
call. Generally speaking, a typical employee
contacts a help desk about
somewhere between six and ten times
a year on password-related issues.
So if you just do the simple multiplication
of six to ten times times $50
per call, times the number of
employees in your organization, you're talking
significantly hundreds of thousands of
dollars or even potentially millions
of dollars a year. And that's just
really the IT operations costs, that's
not really factoring necessarily the productivity
cost that gets lost by the
user having to wait for maybe 20
minutes, 30 minutes or even longer to
actually have the password issue
resolved to their satisfaction.
In large companies like Microsoft, Apple
and Google with upwards of 100,000
employees each, these costs
can quickly add up.
A former Microsoft executive told CNN in
2018, that the company spends more
than $2 million dollars each month in
help desk calls, helping people to
change their passwords.
With the details of our
personal and professional lives increasingly
residing in the digital realm, those
costs are likely to grow.
The first use of the computer password dates
back to the early 1960s at MIT.
At the time, computers were these
huge contraptions that could only manage
the work of one person at a time.
This limitation frustrated Fernando Corbató, who
came up with the computer
time sharing system.
CTSS was an operating system which
distributed a computer's processing power
so that multiple people could
use it at once.
This naturally led to
the issue of privacy.
So Corbató created the password.
Ironically, the first computer to use passwords
was also the first one to be
hacked. One of the researchers in Corbató's
lab found that he needed more
time to complete his work than
the weekly hours allotted to him.
So he printed out all the passwords stored
on the system, and used them to
log in as his colleagues.
The conventional rules of password
creation adopted by companies, federal
agencies and universities were attributed to
a document released by the
National Institute of Standards
and Technology in 2004.
The documents suggested that users should
have a minimum of eight character
passwords and that those passwords should
include at least one uppercase
letter, one lowercase letter, one number
and 1one special character, and be
changed regularly.
But in 2017, NIST
rewrote the password rules.
This time, the agency suggested using
long, easy to remember phrases instead
of crazy characters, and only changing your
password if it might have been
hacked. Passwords have come a
long way since the 1960s.
With innovations such as fingerprint
readers and face scanning on
smartphones, verifying your identity now often
goes beyond just entering a
password. This comes in the form
of two-factor and two-step authentication.
There's three forms of authentication.
One is what you know, such
as a password or a pin.
The second thing is what you have.
So possession of a
device in your hands.
And a third means of authentication is
who you are, like a biometric.
The password alone is the
highest risk way of authenticating.
And that that leads to phishing and
data breaches and all the nefarious
things we see on the web today.
Any form of two-factor authentication is
better than passwords alone. What I want
to note, though, is that not all
two-factor authentication is
created equal.
Things like getting SMS messages, so a text
message with a pin code, is both
inconvenient but also can be spoofed and
is not a foolproof means of second
factor authentication. NIST even restricted
the use of one-time passwords
being sent over SMS as
a means of two-factor authentication.
For something to be two-factor
versus two-step, the authentication elements
must come from
two separate categories.
An example of two-factor authentication is
withdrawing money from an ATM.
First, you insert your bank
card, something that you possess.
And then you were asked for
a pin, something that, you know.
Biometrics are the newest form of
authentication and have risen in
popularity thanks to smartphones that
include fingerprint readers and
face-scanning cameras.
Meanwhile, digital assistants like Siri,
Alexa and Google Assistant have
advanced voice
recognition technologies.
In fact, a number of banks, including
Chase and Barclays, now allow their
customers to verify their
identity using voice biometrics.
When customers call in, their voice
is automatically matched to a previously
recorded voiceprint, that's made up of
more than 100 characteristics such as
pitch, accent and shape of your mouth.
One organization that's been at
the forefront of bringing two-factor
authentication standards to the masses
is the FIDO Alliance.
The FIDO Alliance, which stands for,
Fast Identity Online, is a consortium
of more than 250 companies who are
working together to reduce the industry's
reliance on passwords by
standardizing two-factor authentication.
This past year, we've seen FIDO become
a core part of the Android and
Windows operating system, meaning that any Android
7 or later handset or any
Windows 10 machine can leverage actual
onboard biometrics for that device.
So a fingerprint reader, a face scanner,
whatever it might be, to log in
rather than using passwords.
Other companies that work with the
FIDO Alliance include eBay, Facebook,
Twitter, PayPal and Bank of America.
Even the U.S. government
has adopted the standard.
FIDO's big advantage over other standards
comes down to where it stores
users' personal information.
The core problem with passwords is
that they reside on a server.
The problem with that is that when it
sits on a server, they can be stolen
by a hacker. Additionally, someone can
impersonate you quite easily, either
by phishing your credentials or by buying
your credentials off the Dark Web
and then trying to stuff
them into the account.
Everything FIDO does is local on the
device, which does a couple of things.
One, it's easier.
But perhaps most important,
it protects your privacy.
So you can always change
your password if it's hacked.
But you really can't
take your face back.
You can't take your fingerprint back.
So it's very important that companies
that are using biometrics use
local-match biometrics, meaning match-on-device, which
is what FIDO supports
to protect user privacy and
have enhanced user experience.
Microsoft has been hinting about getting
rid of the password for years.
Let me move over to my Surface Pro 4.
I don't know if
you noticed what happened.
It recognized that I was just standing
in front of the computer and it
logged me in. And this is
the power of Windows Hello.
Where it does the face recognition
and logs you right in.
I mean, think about one of the
biggest issues of security is passwords.
So one of the things that we are
working on is a world where passwords are
not going to be the ones
that, you know, get hacked.
But you really have other biometrics
that really help us secure our
computing interfaces.
Microsoft sees 6.5
trillion hacking incidents per year.
That's why 90 percent of its employees
can now log into the corporate
network without a password.
We are on a mission
to be password less.
We've built password less
technology into the OS.
And we tell customers, of course, that
it's much more secure than actual
passwords because about 70 percent of
phishing attacks today still are
caused by stolen passwords.
So what we've recommended is
that customers use biometrics.
At Microsoft, we use
Windows Hello for business.
I look at my computer to
log on in the morning.
That's how I authenticate. If I'm on
my phone, I'm using my thumbprint.
We don't see our passwords anymore because
that is, the user and the
password or the weakest link
in your security system.
Microsoft introduced Windows Hello to customers
in 2015 with its devices
running Windows 10. Windows Hello allowed
users to ditch the password and
log into their devices with just
their face, fingerprint or pin.
Like FIDO, Microsoft has said it
stores user biometrics on the device
instead of on a cloud.
In 2018, Microsoft announced that it
would support logging into Windows 10
with FIDO2 compatible devices, such as
hardware keys made by Yubiko.
We've been on a mission
to eliminate passwords altogether.
And, you know, we're focusing on
passwordless log in experience that's both
secure and the user friendly.
And we've seen a lot of success
with our authenticator app for consumer.
And so we'll bring that to Azure AD.
Microsoft Authenticator is an app that
allows users to take advantage of
two-factor authentication on any device, not
just those running Windows 10.
Alex Simmons, Vice President of Microsoft's
identity division, said in a
tweet that the company has more than
80 million unique monthly users that
sign in with a passwordless method.
Apple's been encouraging the use of
biometric authentication since it came
out with Touch ID on the
iPhone 5S back in 2013.
The company called Touch ID the
gold standard for consumer device biometric
protection until it introduced Face ID
on the iPhone X in 2017.
And the data for Touch ID has been
1 in 50,000, meaning that the chance that
a random person could use their fingerprint
to unlock your iPhone has been
about 1 in 50,000 and it's been great.
So what are the similar
statistics for Face ID?1
1 in a 1,000,000. Back in 2016,
Apple also introduced Auto Unlock, a feature
for MacOS. Today, when you first approach
your Mac to use it, the experience
is something like this. You open it
up, you're confronted with a password
field, and you type and then maybe
mistype, and then retype your password,
and then you're in and using your Mac.
But you know, for many of us,
we already have a device securely
authenticated to our wrists that already knows
who we are and could tell our
Mac. And so then, when we open our Mac,
it could be a little bit more like
this. In its guidelines to app
developers, Apple stresses that apps should
support biometric authentication whenever possible
and that apps should only
ask for a username and password as
a fallback, if the first method fails.
Google has also been working to make
passwords a thing of the past.
The company has required its employees
to use physical security keys since
early 2017, and has seen
a huge reduction in phishing.
In August of 2018, the
company released Titan to consumers.
Titan is a physical key that allows
users to take advantage of two-factor
authentication on their
computers or smartphones.
In 2019, Google announced that phones running
Android 7 would all come with
a built-in security
key using Bluetooth.
A few months later, Google extended
that function to iOS devices, meaning
that iPhone and iPad users could
now use their secondary Android smartphones
as a security key whenever logging into
their Google accounts on an iOS
device. While Microsoft's Windows 10
devices and Google's new Android
devices are FIDO2 certified, Apple has been
slower to adopt the standard in
its products. Even though Touch ID
and Face ID made biometric authentication
the norm for unlocking our phones,
Apple's devices are still not FIDO
certified. But Apple
is making strides.
Of late, Apple's been supporting FIDO technology
both on iOS and on MacOS.
So the latest versions of their
operating system support FIDO, meaning that
if you're accessing a website that supports
FIDO on an Apple device, you'll
be able to leverage
FIDO authentication as well.
The Department of Justice has also
been moving away from password
authentication. The agency adopted a
single-sign-on method back in 2017.
One of the reasons why passwords persist
is that they are universal, they
can be used by anyone.
There are no limitations.
There's no special
hardware requirements.
You don't have to have a certain kind
of phone or certain kind of laptop.
Anyone can use passwords. There are a
few key challenges to really moving
beyond being dependent on passwords.
One of them is technical, and that's
FIDO has been seeking to address.
And we've now created the technical
standards that are web standards for
authentication that does not
depend on passwords.
Another challenge is behavioral.
And we've been trained with this
risky way of authenticating using
passwords. We'll have to be untrained to
use simpler, but new mechanisms for
logging in. So I think there'll be
some behavioral changes that need to take
place, some education.
You know, the good news is these are
changes are for the better and for the
simpler. And so, we think that people
will embrace these changes at the same
time as new technologies roll to market
to enable us collectively, on the
whole, to move beyond passwords.
Experts say that getting rid of the
password will be a long journey,
especially when it comes to getting
people to ditch their bad habits.
The consumer approaches will
be very much opt-in.
In other words, if users actually
want strong authentication, companies will
be able to provide it to them,
but just because it's available, doesn't mean
that every customer is going
to go for it.
You may now need to start collecting
information about the user like a
mobile phone number that you need
to use to communicate with them.
And perhaps users don't want to
provide that information or they're
reluctant to. On the consumer side, I
believe passwords will be slower to
get rid of. Which also means that
the risk of breaches of consumer sites
will persist for
the foreseeable future.
