As you will recall, in mid-March credit bureau TransUnion suffered a serious hack that compromised the personal and financial details of millions of South Africans.
The architects of the breach (N4ughtySec) boasted that they had gained access to the records of 54-million people, though TransUnion pushed back on that characterisation, saying this number was “from prior data breaches dating back to 2017”.
The other big claim from the hackers at the time was that their in to this data set was a poorly considered client password. If we are to believe them, the said password was “password”.
Now, I appreciate this group is the definition of an unreliable source, being self-confessed criminals after all and not overly concerned with niceties, but it is still tempting to take this claim at face value as there are countless examples to illustrate that the weakest point in any security system is, typically, us. You and me — and our terrible, lazy, recycled passwords and willingness to be socially engineered into giving it all away.
It is tempting to be condescending about this, especially with infamous instances such as Kanye West revealing on live TV in 2018 that his iPhone passcode was 000000, but I’d caution against that knee-jerk scepticism. Between tens of online accounts and more connected things in our homes, it is getting harder to be diligent about taking the necessary but tedious steps like changing default passwords and keeping passwords original.
Of course, you simply should do these things. It is undoubtedly important, and tiresomeness doesn’t absolve anyone of personal responsibility here. I am just saying that if you’ve suffered a password breach you’re in good company: Google, the UN, the University of Cambridge, White House staffers and the freaking Pentagon have all experienced embarrassing password-related fails. About 80% of all cybersecurity breaches are attributable to password failures.
It’s actually fascinating (like rubbernecking at a crash site) how many processes and platforms seem to be one oversight away from a devastating breach. Seriously, google “worst password fails” to see what I mean. Plus, all the above examples come from recent years, long into the days of tools such as password generators and managers.
That’s why a better, more secure alternative is such a dream. And hopefully it is a dream we all took one step closer to achieving last week on World Password Day (May 5), with the Fido Alliance announcement that tech giants Apple, Microsoft and Google have signed on to extend support for the multi-device passwordless sign-in standards developed and championed by the Fido Alliance and the World Wide Web Consortium.
Coincidentally, both World Password Day and the Fido Alliance were established in 2013. The former by Intel. The latter calls itself an “open industry association with a focused mission” to establish authentication standards that will “help reduce the world’s overreliance on passwords”.
To get us there, Fido has work groups collaborating on developing technical specifications, getting those recognised by standards development organisations, and running industry certification programmes to see said standards adopted. Its members include Amazon, Meta, MasterCard, PayPal and many more.
The “expanded support” in last week’s announcements from the big tech partners is painfully vague in that legalese way corporates are so good at. But Apple’s press release on the matter did offer more specifics.
Before this agreement previous implementations required sign in to each website or app with each device before they can use passwordless functionality. Now two new capabilities will be implemented to, first, let users access their Fido credentials (like a passkey) on multiple devices, “even new ones, without having to re-enrol every account”. Second, users with Fido authentication on their mobile devices will now be able to sign into an app or site on nearby devices “regardless of the OS platform or browser they are running”.
This is all built on the back of multi-device Fido credentials that would feel to a user, Fido has written, not unlike using a password manager, but are more secure by virtue of using a “modern, phishing-resistant authentication” method, the Fido keypair rather than a password.
To us non-techies much of the writing about the standards themselves can be confusing, but I am excited about this approach because it proports implementing a tech solution to a people problem.
In its March white paper on the topic, as well as other materials, Fido argues that one of the biggest hurdles to adoption of such solutions is the procedure of switching and adding devices: remembering the passwords to the 90-plus accounts we all typically use to log into them just to insert a password manager step in between. And the process is at least as unwieldy as that sentence.
The schlep of the above creates an inertia problem. But a multi-device, platform-agnostic solution might just be seamless enough to push us over that (considerable) bump in the path. It’s just one step, but public support and promises from the biggest consumer tech platforms like this does indeed get us that little bit closer to a “passwordless” future.
• Thompson Davy, a freelance journalist, is an impactAFRICA fellow and WanaData member.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.