In a rapidly changing world, even the things that seem unshakable and undeniable can change. One of such things is passwords. We got used to them so much that it is even strange to question their necessity. But, let’s try.
Do we really need common reusable passwords?
The network is overloaded with discussions about passwords’ downsides and low level of protection. Even the beginner at hacking can hack the majority of passwords. Besides, the owners of different accounts do not always use passwords in a proper way. They rarely change them, keep them in a place accessible for other people, and choose short and easy-to-guess combinations.
Meanwhile, there are more reliable multifactor authentication methods, which give much greater assurance that it is the user of the account who enters it.
For example two-factor authentication with one-time passwords. It is successfully used by a growing number of websites. And talking about online resources, that deal with money (online banking or a payment system), 2-way authentication of clients is an undisputed standard.
2-factor authentication works on the basis of simultaneous testing of two components that can confirm the legitimacy of the user: the knowledge and ownership.
Knowledge factor is either a reusable password that the user enters when logging in the account or a PIN-code of OTP token.
And the second factor – the ownership – can be a mobile phone, which gets SMS messages with one-time passwords, or a hardware or software OTP token. Thus, the process of sending one-time passwords to these devices is this second factor confirming the ownership.
Practice shows that the use of hardware OTP tokens as the means of user authentication provides a higher degree of protection than the well-known SMS delivery method.
What are the advantages of OTP tokens?
- OTP tokens work autonomously without using open communication channels and Internet connection.
- To use OTP token, as a rule, you need to enter a PIN-code. This further protects the account from unauthorized access.
- The token generates passwords using the most modern data encryption algorithms. For example, Protectimus OTP tokens use three different generation algorithm: TOTP, HOTP, and OCRA.
- In the case you need an even higher degree of protection, you can use a strong authentication system with ‘challenge-response’ algorithm.
In this case, each party of the authentication process has a predetermined secret key. Its values are taken into account when creating a temporary password and decoding it during the authentication.
The reliability of 2FA is based on the fact that flaws and vulnerabilities of one factor may be offset by the advantages of another factor. So, if the attacker knows the password or the PIN-code, the absence of the one-time password will prevent him from entering your account. And vice versa, if somebody gets your phone or OTP token he or she cannot confirm the user’s legitimacy without entering the PIN-code to unlock the device or without the ordinary password.
Will the reusable passwords survive? After all, they, in spite of all the downsides, remain an essential element of two-factor authentication. Won’t 2FA lose all its power if the passwords are ‘canceled’?
I think it is possible to do without passwords if 2FA keeps its much-needed first factor – the knowledge. After all, a PIN-code, a part of almost any modern OTP token, can easily handle the function that today is performed by a usual password. Such approach would save the verification of two parameters (the knowledge of the PIN-code and the possession of the token), simplify the procedure, and the data protection won’t become less reliable.
Cassette recorders, tube televisions and paper letters have disappeared in a generation. It seems that the same fate will soon expect reusable password. Let’s thank them and finally say ‘goodbye’.