Passwords go at least as far back as armed sentries, fortified towns and invasions on horseback. “Who goes there,” was a question that had to be answered in a very specific way, if one wished to see another dawn.
The struggle to protect a password goes all the way back too. How often to change it, how to craft and share it, these questions are universal, although the answers have changed.
By the mid-1960s, the password had gone digital, as a new world of risk and protection was born: the virtual one. Researchers at the Massachusetts Institute of Technology (MIT) built a time-sharing computer and, the general consensus goes, instituted the first computer password in 1961. By 1966, the first breach happened: A software bug caused the entire list of passwords to become visible to all users.
Passwords have always been vulnerable.
They are among the most widely and cheaply available items on the dark web. Hacked passwords (for accounts ranging from email to e-commerce and streaming platforms, among others) cost about $1 each on the dark web.
Now, an evolution is underway. Having tried and failed to get people to use passwords more effectively — 123456 remains the most common (and of course most hackable) password, according to a June 2023 study by online-security company Norton; and most users continue to deploy one password across multiple platforms — hardware and software companies are going in another direction.
It began with biometric data such as facial recognition and fingerprint scans. It’s now advancing into encrypted hardware keys and passkeys.
Apple devices have supported fingerprint recognition since 2013 (for iPhones) and 2016 (for Mac devices), and the Windows ecosystem is now catching up on this front.
Windows Hello, available on a growing number of desktops and laptops running the Windows 11 operating system, uses fingerprint sensors or webcams capable of facial recognition, or both. A growing number of websites and apps are also beginning to pair the PIN or personal identification number with biometric authentication.
But the game-changer is the coming of physical authentication and invisible authentication. First, the former. Physical authentication can take the shape of smart tap cards or fobs that authenticate a user as the right person to access a device. Or it can be an actual USB key, such as those sold by Google or Yubico.
These keys act as two-factor authentication. Instead of a second code or OTP, the user must plug a specific “key” into a USB port on the device, in order to unlock it. Google’s Titan Security Keys act in this manner on smartphones, laptops and desktops. Yubico, also US-based, has been issuing its YubiKeys since 2008. Where these were largely deployed in enterprise-level security, both companies are now aiming at retail consumers too.
The invisible authentication mode is more exciting still. It takes the form of a different passkey for access to each protected website and app on a device. The passkey combines biometrics and an encrypted PIN, in order to unlock the protected platform.
But you needn’t worry about remembering all those PINs. Each PIN remains invisible to the user and locked into the device. All the user need do is scan their face or fingertip. If the scan checks out, the device relays its passcode to the central server, giving it the all-clear to log the user in.
The passcode is never stored in a cloud, keeping it safer from hackers. It changes with each device. (Unlike a password, which carries over.)
In September, Microsoft added the passkey option to its Windows 11 update. In October, Google began integrating passkeys for Google accounts (and thereby Google-linked apps such as YouTube, Maps and Search) and for Android 14 smartphones. Apple added passkey support to its iOS 17 and macOS Sonoma, in September.
Apps such as Uber and eBay are giving users the option of replacing passwords with passkeys too. WhatsApp is expected to be next, with Amazon following soon after, at least for iPhone users.
The best thing about the passkey is that it no longer leaves it to the user to formulate, memorise or store their own passwords, all of which have proved to be deeply flawed processes among humans.
It is no longer the user answering the central server’s question of “Who goes there”, in fact. In another instance of artificial intelligence replacing human, that question is answered, more securely, by the device itself.
Passwords go at least as far back as armed sentries, fortified towns and invasions on horseback. “Who goes there,” was a question that had to be answered in a very specific way, if one wished to see another dawn.
The struggle to protect a password goes all the way back too. How often to change it, how to craft and share it, these questions are universal, although the answers have changed.
By the mid-1960s, the password had gone digital, as a new world of risk and protection was born: the virtual one. Researchers at the Massachusetts Institute of Technology (MIT) built a time-sharing computer and, the general consensus goes, instituted the first computer password in 1961. By 1966, the first breach happened: A software bug caused the entire list of passwords to become visible to all users.
Passwords have always been vulnerable.
They are among the most widely and cheaply available items on the dark web. Hacked passwords (for accounts ranging from email to e-commerce and streaming platforms, among others) cost about $1 each on the dark web.
Now, an evolution is underway. Having tried and failed to get people to use passwords more effectively — 123456 remains the most common (and of course most hackable) password, according to a June 2023 study by online-security company Norton; and most users continue to deploy one password across multiple platforms — hardware and software companies are going in another direction.
It began with biometric data such as facial recognition and fingerprint scans. It’s now advancing into encrypted hardware keys and passkeys.
Apple devices have supported fingerprint recognition since 2013 (for iPhones) and 2016 (for Mac devices), and the Windows ecosystem is now catching up on this front.
Windows Hello, available on a growing number of desktops and laptops running the Windows 11 operating system, uses fingerprint sensors or webcams capable of facial recognition, or both. A growing number of websites and apps are also beginning to pair the PIN or personal identification number with biometric authentication.
But the game-changer is the coming of physical authentication and invisible authentication. First, the former. Physical authentication can take the shape of smart tap cards or fobs that authenticate a user as the right person to access a device. Or it can be an actual USB key, such as those sold by Google or Yubico.
These keys act as two-factor authentication. Instead of a second code or OTP, the user must plug a specific “key” into a USB port on the device, in order to unlock it. Google’s Titan Security Keys act in this manner on smartphones, laptops and desktops. Yubico, also US-based, has been issuing its YubiKeys since 2008. Where these were largely deployed in enterprise-level security, both companies are now aiming at retail consumers too.
The invisible authentication mode is more exciting still. It takes the form of a different passkey for access to each protected website and app on a device. The passkey combines biometrics and an encrypted PIN, in order to unlock the protected platform.
But you needn’t worry about remembering all those PINs. Each PIN remains invisible to the user and locked into the device. All the user need do is scan their face or fingertip. If the scan checks out, the device relays its passcode to the central server, giving it the all-clear to log the user in.
The passcode is never stored in a cloud, keeping it safer from hackers. It changes with each device. (Unlike a password, which carries over.)
In September, Microsoft added the passkey option to its Windows 11 update. In October, Google began integrating passkeys for Google accounts (and thereby Google-linked apps such as YouTube, Maps and Search) and for Android 14 smartphones. Apple added passkey support to its iOS 17 and macOS Sonoma, in September.
Apps such as Uber and eBay are giving users the option of replacing passwords with passkeys too. WhatsApp is expected to be next, with Amazon following soon after, at least for iPhone users.
The best thing about the passkey is that it no longer leaves it to the user to formulate, memorise or store their own passwords, all of which have proved to be deeply flawed processes among humans.
It is no longer the user answering the central server’s question of “Who goes there”, in fact. In another instance of artificial intelligence replacing human, that question is answered, more securely, by the device itself.