Chirag Mahapatra

Passwords

Overview

Passwords are still essential to the many applications. However, they are also the biggest threat to people’s online security. According to haveibeenpwned.com, over 11 billion account credentials have been leaked. This includes accounts from government sites,and companies like Dropbox and Adobe. Some of the common wisdom around complicated passwords actually ends up working against users. When users use complicated passwords, they tend to use it across multiple applications (Source: https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/). Hence, there are a number of companies trying to build technologies around augmenting and replacing passwords.

Two factor authentication

The most common form of two factor authentication is one-time password (OTP). An OTP is generally an alphanumeric string of length between 4-8 characters. It can be sent via SMS, hardware tokens or notifications in mobile apps.

While SMS based OTP is highly convenient, it also has a number of open vulnerabilities. Hackers have been known to use holes in Signaling System 7 (SS7) as well as use social engineering to re-route the SMS (Source: https://techcrunch.com/2017/09/18/ss7-coinbase-bitcoin-hack-2fa-vulnerable/). A better option is to use a time based OTP which relies on synchronization of time between the client and server. The OTP is created based on the current time.

Some companies which build 2FA solutions are Authy (https://authy.com/) and Duo (https://duo.com/).

Password managers

A password manager helps in saving usernames and passwords the first time you visit a site. In subsequent visits, it will help with autofilling credentials for easier access. Some web pages do not make it possible to autofill. In these cases, the password manager makes it wasy to copy credentials and paste it.

Some companies which build password managers are Dashlane (https://www.dashlane.com/) and LastPass (https://www.lastpass.com/).

Passwordless authentication

While the above technologies are working around the existing limitations of passwords, the future is likely a world without passwords. Instead the authentication factor would be fingerprints, face recogntion and other biometric identifiers. It can also include other factors such as location, behavioral patterns and gestures.

Some companies which build passwordless authentication solutions are Trusona (https://www.trusona.com/) and Magic (https://magic.link/)