Posted on beta news magazine, May 1 by Amit Rahav
If implemented correctly, this system is a lot more secure than the one that prevails now, where users login with their password, since there are now two or more factors that are being used to authenticate the user
It was supposed to have died a long time ago, but, for a near-cadaver, the password has managed to hold onto its last breath for over two decades. Bill Gates declared passwords passé way back in 2004, but it was only late in April that the company he founded introduced a replacement for the outmoded authentication system.
For years, organizations have sought to educate employees about the importance of secure passwords and of resisting phishing attacks — and both efforts have failed. A Verizon report indicates that 63 percent of confirmed data breaches involved leveraging weak/default/stolen passwords in 2016. Meanwhile, a new report from Proofpoint says that phishing and similar attacks using e-mail were up 45 percent in the last quarter of that year. Clearly, the constant haranguing by security teams of employees to change their passwords and make them more complicated, as well as their pleas not to click on suspicious links/attachments, are falling on deaf ears.
Indeed, the only way passwords can be effective, according to NIST, the US National Institute for Standards and Technology, is by requiring users to come up with 16 character (preferably a mix of letters and digits, with some capital letters and/or alphanumeric symbols thrown in) standard passwords, allowing for as many as 64 characters, instead of the eight to 16 character range most organizations require for passwords today. We have enough trouble getting people to remember eight characters; can we really rely on peoples’ memories to remember 16, 20, or more?