Passwords have significantly impacted today's society since the beginning of the 21st century. Technology is beyond, and we use the Internet to perform many activities such as transactions, saving confidential information and lots more. It's generally clear that a password provides the first line of defence against unauthorised access to your computer and personal information.
The stronger your password, the more protected your devices are from Hackers and Malicious software. Very soon, Inheritance from parent to children will be just of username and password. That sounds funny, but soon Attackers can access the information or assets you set with a password by BruteForcing or Cracking it.
The worldwide trend in digital authentication has been shifting towards passwordless, even though passwords continue to be the most used form of authentication in every application. This is because passwords are the way we secure our online accounts. Still, they are also one of the weakest security mechanisms on the Internet.
The battle between these two methods is seen by many as an uphill battle. Still, from a user experience perspective, passwordless authentication is the better option for specific users. But, passwords aren't always as secure as they should be, as a recent organisation's data leak demonstrates. Passwordless authentication replaces passwords and protects your system from many hacking threats, even brute force attacks.
The beginning of 2FA(Two-Factor Authentication)
Two-factor authentication is a security implementation that uses two forms of identification to verify the recognition of an account owner. For example, suppose you are trying to log into your account but don't seem to remember your username or password. In that case, two-factor authentication prompts you to provide a second piece of information. The second factor can be on anything from phone calls ( Voice, SMS) to an application that is supposed to be on your system.
In starting, a two-factor authentication code can be a four or 6-digit number sent on the user prefered medium. For the hacker to log in to any account, the attacker must enter the correct four-digit code sent to the user's email address or phone number. To get the authentication code, the attacker must compromise the user's email id or phone number. But, there is a risk in a system as well. Suppose you notice that not only login but the password-reset works similarly. To reset a password, a user must provide the email id l.e, username to verify their identities by entering the correct code or OTP sent on the email.
In 2020 a young talented Nigerian cyber security researcher Afolic discovered a weakness in the MTN Web Authentication Process. For MTN web authentication, a user will receive a 4-digit OTP code. The user must provide the correct OTP code to verify their identity. The 4-digit code is sent on the email or the number and is valid for 15 minutes. But, first, 10,000 possible combinations of the digits 0-9 can be together to form a four-digit code.
Usually, an attacker can brute force the endpoint security, which verifies the code. Eventually, attackers can guess the correct code and reset the password successfully with a wide-range brute force attack. What makes these hacks a little more complicated is the duration of the validity of the code. The user must input the code within 15 minutes; otherwise, the code would expire, and the attacker would have to restart the process again.
To make it work out well, Afolic tested the MTN system further and found that MTN does not block an IP address that sends incorrect OTP. Instead, it temporarily blocks the IP.
Passwordless authentication is a new method of account and user management. The idea is that you no longer need a username or password to authenticate your account to the system. Instead, a device with a username and password for any given request to access your data can be much more convenient than entering usernames and passwords whenever you want to view your data.
Roles Of Passwordless Authentication
Many are now adopting online services that support passwordless authentication. It has led to the development apps and software that support such systems. Passwordless authentication is rapidly gaining popularity, with companies like Facebook and Google starting to use it. However, Passwordless Authentication has a critical role in several applications. Examples of such applications include:
Minimising international border crossing
Restricting physical access to facilities like airports or nuclear plants
Controlling Remote access to shared resources and information
Performing Logical financial transactions
Distributing social welfare benefits
Reason Why Passwordless Authentication Outweighs Password Authentication
A better way to authenticate users is to use passwordless authentication (or token-based authentication). You don't need to remember a user's password (we don't recommend storing or using passwords unless necessary). Below are some key reasons why passwordless authentication is better to adopt in your system.
Password Authentication cannot provide vital identity management functions like non-repudiation and detecting multiple enrollments by the same person under different identities. For example, individuals can easily deny (repudiate) using a service by claiming that their password had been stolen or guessed.
They rely on representations of identity such as passwords or ID cards, which can be easily forgotten/lost, guessed/stolen, or shared.
Individuals can conceal their identities by presenting forged or duplicate identification documents.
Mechanisms like passwords and tokens do not provide strong evidence for post-event person recognition, such as suspect identification at a crime scene.
Therefore, it is becoming apparent that knowledge-based, such as passwords alone, is not sufficient for reliable identity management.