Go Passwordless : Password-based security is an oxymoron. Passwords are just inadequate at keeping out threat actors, with over 15 billion exposed credentials available on the dark web and credential theft accounting for 54% of security breaches.
Because passwords are widely exploitable, a number of companies, including Google, Microsoft, Okta, and LastPass, have joined the FIDO alliance to advance toward passwordless authentication systems.
In line with this plan, Google announced today the addition of passkeys to Chrome and Android, allowing users to generate and use passkeys to log into Android devices. Passkeys are stored on phones and computers and can be used to log in without a password.
Passkeys added to the Chrome and Android ecosystems will make it much more difficult for fraudsters to gain access to enterprise systems.
Need for passwordless
With social engineering and phishing attacks dominating the security environment, passwordless authentication solutions are gaining popularity. Passwordless authentication will expand from $12.79 billion in 2021 to $53.64 billion by 2030, according to academics.
As demand for passwordless authentication grows, many providers are experimenting with lowering reliance on passwords. Passkeys, which let users log in to apps and websites using Face ID or Touch ID without entering a password, is now available on iOS 16 and macOS Ventura devices, for example.
At the same time, Microsoft is testing its own passwordless authentication systems. Microsoft Authenticator and Windows Hello For Business (biometric and PIN) are two examples (biometric touch, face, or PIN). Both offer passwordless user authentication options that integrate with well-known systems like Azure Active Directory.
Suppliers will be under growing pressure to provide more and more accessible passwordless authentication alternatives as use rises, or risk falling behind.
The move comes after Apple, Google, and Microsoft vowed in March to increase support for the FIDO Alliance and World Wide Web Consortium’s passwordless sign-in standard.
This shift toward passwordless authentication acknowledges password-based security’s inherent ineffectiveness. When consumers must manage passwords for hundreds of online accounts, credential reuse is unavoidable.
After evaluating 1.7 billion username and password combinations, SpyCloud determined that 64% of people used the same password disclosed in one breach for other accounts. Password removal reduces the likelihood of credential theft and the effectiveness of social engineering approaches.
Passkeys are a significantly safer replacement for passwords and other phishable authentication factors, according to Diego Zavala, product manager at Android; Christian Brand, product manager at Google; Ali Naddaf, software engineer at Identity Ecosystems; and Ken Buchanan, software engineer at Chrome, in the announcement blog post.
“[Passkeys] reduce the risks associated with password reuse and account database breaches, while also protecting users from phishing attacks.” According to the post, “passkeys are based on industry standards, work across several operating systems and browser ecosystems, and may be used for both websites and apps.”
It’s important to note that users can back up and sync passkeys to the cloud to avoid getting locked out if their device is stolen. Google also stated that passkey functionality will be available on the web via Chrome and the WebAuthn API.
Continue to read more current news
290 total views, 1 views today