[세계 비밀번호의 날] Throw away all passwords now

Every year on the first Thursday of May, World Password Day is celebrated. World Password Day is an anniversary that started in 2013 led by Intel, and was established to raise awareness of the importance of strong passwords in protecting various digital services and devices.

According to Intel, for the past 60 years, passwords have been used as a representative method for users to authenticate usage rights on various devices and services. You use these passwords to unlock your smartphone or log in to portal sites, as well as access important business systems.

But the security industry stresses that passwords are no longer secure. Hackers are using phishing e-mails or information leaking malicious codes (infostealer) to find out passwords that target users’ IDs and passwords. In addition, hacking techniques such as brute force attacks that randomly input IDs and passwords and dictionary substitution attacks that sequentially input pre-made strings are also being automated. According to Microsoft, attacks against passwords have doubled in the past 12 months, with 921 attacks occurring every second.

To counter these attacks, passwords that combine uppercase and lowercase letters, numbers, and special characters are recommended, but many users create passwords in the form of adding only numbers and exclamation marks to simple phrases because they are difficult to memorize. Paradoxically, a complex password to strengthen security makes the password weaker.

In particular, leaked IDs and passwords are being traded on the dark web, and the hackers who obtained them try to log in by entering numerous combinations of IDs and passwords. This is a so-called credential stuffing attack. If a user uses the same ID and password for other services, even if one service is exposed, several other services can be hacked.

According to Apple, password-only authentication has been considered one of the biggest security problems in the Internet environment, and users often use the same password across online services due to the hassle of managing multiple passwords. These practices lead to account takeovers, data breaches, and even identity theft.

Threat intelligence company Mandiant recommended Multi-Factor Authentication (MFA) as a means to protect passwords. Multi-factor authentication or two-factor authentication (2FA, 2 Factor Authentication) is a security technique that uses other means than primary authentication through ID and password to further authenticate the user.

In the authentication security industry, authentication methods are broadly divided into knowledge-based, ownership-based, and feature-based authentication. Knowledge-based authentication refers to a method of authentication using previously known information such as IDs, passwords, and patterns that we commonly use.

Ownership-based authentication is a method of additional authentication using a device that the user owns. A typical method is to run an application (hereafter referred to as an app) installed on the smartphone to authenticate when logging in, or to enter a six-digit code received through a text message.

Feature-based authentication uses a user’s biometric characteristics to authenticate, and fingerprint or face recognition is typical. In the case of face recognition, in the past, there were cases where it was not possible to distinguish a photo from a real face, but recently, a method of increasing recognition accuracy by using a 3D camera or an infrared sensor together with the camera is widely used.

The popularity of smartphones has made this authentication method easier to use. The built-in camera or biometric sensor in the smartphone can be used for authentication. In particular, two-step authentication linked with an authentication app installed on a smartphone can use knowledge-based, ownership-based, and feature-based authentication at the same time.

Apple, Google and Microsoft announced on May 5 (local time) expanded support for the passwordless login technology standard established by the FIDO Alliance. With this technology, users can easily log in by entering a long and complex password only once, and then without additionally entering a password using an authentication app or the like. For example, you can log in easily by running the app when logging in and taking a QR code that appears on the PC screen, or by recognizing your fingerprint in the app when logging in.

The three companies will be able to log in to their apps and services in the future regardless of device, platform, or web browser. For example, it is possible to log into the Google Chrome browser running on the Windows operating system through an authentication app installed on the iPhone.

This integrated authentication function is expected to be introduced as early as next year. Microsoft predicts that this type of login will provide users with a secure and consistent authentication experience.

“The complete transition to a password-free world starts with users naturally accepting it as a part of their lives,” said Alex Simons, vice president of Microsoft’s Authentication Program Management. , has made significant strides toward eliminating passwords. FIDO-based credentials will be widely used by consumers as well as enterprise customers.”

“This collaboration is an industry-wide look at improving online user protection and eliminating outdated password-based authentication methods,” said Mark Risher, Google’s senior director of product management. and FIDO Alliance show the achievements of the past 10 years.The FIDO-based technology is used on various platforms including Chrome, Chrome OS, and Android, and app and web developers actively introduce it, and users around the world are aware of the risk of passwords. We hope that you will be able to safely escape from the inconvenience.”