TK Matima

View Original

What got us here, won’t get us there - Passwords

There is no doubt passwords suck. Almost every week there are articles of “millions and billions of passwords being sold by hackers”.

R20 = ~ $1.13

Continued use and mismanagement of passwords enable and finance cyber criminal marketplaces.

What makes passwords suck even more is the outdated advise most security professionals still give (in 2020!):

  • “make your password complex (1 Uppercase, 1 Lower case, 1 Special Char,etc)”

  • change your passwords every 60 - 90 days to stay secure

Security professionals still give this advise despite recommended password best practice from NIST (National Institute of Standards and Technology). Yes, NIST recommends that passwords NOT be changed often unless there is evidence of compromise; they also advise the discontinued use of password complexity.

Passwords clearly need to go. Hopefully more and more organisations already have or at least beginning to draft a road map of doing away with outdated password security practices, enabling MFA, or even better, drafting a road map for phasing out passwords where possible.

So, what are some of the exciting passwordless innovations taking place?

Microsoft

Microsoft have awesome documentation and demos of going passwordless, focusing primarily on:

  • Windows Hello for Business

  • Microsoft Authenticator App

  • FIDO2 Security Keys

Their passwordless authentication options for Azure Active Directory documentation is awesome and worth checking out.

Auth0

Auth0 is also doing wonders in this push, offering the following passwordless factors:

  • Email

  • Magic Link

  • SMS

Auth0’s documentation has awesome explanations and walk throughs.

Magic

Magic is also another player in the passwordless arena, albeit predominantly focused on the Blockchain industry. They do away with passwords and stick with email magic links (akin to Auth0).

This reduces the friction even upon sign-ups.

How sign-ups are currently done:

How magic does sign-ups:

I found Magics documentation to also be awesome and worth reading.

I’m certain there are many more companies working on this, but I only listed those I use often.

We live in interesting and exciting times, and I often wish I was a developer when I think of all the great things that can, and have, been done in recent years.

Less Friction. More Security. No passwords.

That’s the future I look forward to.