The use of specific words to "show a white leg" goes back a long way. Two centuries before our era, the sentries of the Roman army were already using "words of summons" (questions) and "passwords" (answers), written on wooden tablets, to secure a perimeter. At the beginning of the 18th century, the famous formula “Sesame, open up! ”, In the tale Ali Baba and the Forty Thieves , introduces the idea - which still persists today - of a“ magic sentence ”protecting a secret place and the treasure it contains.
However, the principle of the password did not impose itself worldwide until the 20th century, with the advent of digital technology. Fernando Corbató, an engineer at MIT, was the first to use a password-based system to access a computer, in 1961. A few years after their appearance, bank cards became widespread and, in 1972 in Great Britain, the Lloyds Bank is the first to add a PIN ( Personal Identification Number ) to them. A simple four-digit code becomes the universal sesame for consumers to spend their money. But it was obviously the appearance of personal computers in the 1980s, then the democratization of the Internet in the 2000s, which caused the use of passwords to explode.
There are actually so many of them today that you now need dedicated apps - Dashlane, 1Password, LastPass or other tools - to manage them. In 2015, Dashlane found that an average user has 90 online accounts and credentials, and in 2017, LastPass found that an employee maintains an average of ... 191 passwords.
The password, this unloved
In the mid-2010s, however, it seemed clear that the principle was no longer suitable. Passwords have become " a sort of nightmare" , as Fernando Corbató himself acknowledged in the Wall Street Journal in 2014 . " Passwords are not secure, they are inconvenient, expensive and nobody likes them," we also read on Microsoft's official blog in 2018.
In fact, the endemic password problems are easy to understand. First, they are stored on centralized servers. A boon for hackers who can, by breaking into a single system, steal a considerable number of sesame. High-profile hacks are becoming commonplace. In 2016 alone, Yahoo recognized a security breach affecting three billion accounts, while the adult social network Adult Frien Finder suffered an attack in which the email addresses and passwords of more than 400 million were stolen. users… Adobe, eBay, LinkedIn, Sony and Uber, among others, experienced similar setbacks over the following years, exposing the personal data of hundreds of millions of users.
123456
is the password used by 23% of accounts hacked in 2019 in England
Another limitation is due to uses. Despite repeated advice from security professionals, good password choice practices are struggling to prevail. Year after year, studies show that users do not necessarily understand the importance of their digital identifiers. In April 2019, the British National Cyber Security Center (NCSC) reported that over 23 million hacked accounts in the country were using "123456" as their password, the most widely used of all ... and the word "password" or combinations " 111111 "and" 12345 "are still in the top 10 most popular passwords.
Moreover, according to Digital Guardian , at the end of 2018, 11% of Internet users re-used the same passwords for all their accounts, while 40% did so “sometimes” for accounts that they considered to be insensitive. A separate study of HYPR secure solutions provider, dated December 2019, concluded that more than three quarters of North American employees proceeded to reset a password in the last three months, because they had forget it. And when forced to update a work password for security reasons, one in two employees simply change a single number or letter.
Towards a world without a password?
“In the entire digital security chain, the weakest link remains the user, who still lacks maturity when it comes to the importance of authentication data. That's why we have to abandon the simple use of the password, ” summarizes Christelle André-Pons, cybersecurity consultant at Sogeti, a digital services company and a subsidiary of the Capgemini group.
Countless solutions have been devised to try to overcome passwords, including the most extreme. The implementation of electronic identification chips (RFID or NFC) is still relevant and regularly makes headlines. In 2017, Three Square Market became the first American company to offer its employees a chip in their arm to identify themselves everywhere, without a code or password. And several start-ups ( Dangerous Things in the United States, Biohax in Sweden) offer ready-to-use implantation kits. Others, like Civic uPort or Blockpass, rely on blockchains to offer decentralized identification solutions, where the user locally stores all his personal data.
The transition to a world without passwords is also the subject of a concerted industrial effort. The FIDO Alliance , created in 2013 and now bringing together more than 200 members - including Alibaba, Amazon, Facebook, Google, Mastercard and Visa - thus aims to define open authentication standards that are likely to " help reduce the world's over-reliance on passwords ”. Clearly, the Alliance intends to precipitate the advent of a " passwordless" world (literally "without password").
"Passwordless authentication is the next big step in digital transformation"
Extract from a World Economic Forum report from January 2020
A World Economic Forum report , written with the FIDO Alliance and published in January 2020, even describes passwordless authentication as " the next major breakthrough in digital transformation." According to the authors, passwordless authentication has “ four key advantages” over traditional solutions: “ It makes financial sense for the business, increasing revenue and reducing costs; it makes sense on the client side by offering a better user experience; strategically, it redefines competition by releasing a new value from interoperability; finally, it increases security considerably ”.
The report presents some of the avenues considered to lead this transition: facial biometrics (where other avenues are possible, such as the retinal imprint for example), material keys (an independent tool that must be physically and locally present during the authentication), QR codes (a simple, no-key way to associate a user with an identity, before launching the authentication procedure itself), behavioral analysis (these are the usual actions of the user, such as speed moving the mouse or the write speed that define its profile, so to authenticate), or " proof zero-knowledge of knowledge " ( zero-knowledge proof), which consists in asking the user, for example by solving a riddle, to prove that he knows the key but without ever disclosing it.
“The future of authentication will take multiple routes, some of which we have only just begun to explore, such as self-managed blockchain-based identities or zero-knowledge networks. But companies must embark on this journey that is free of passwords, ” concludes the report.
This journey has already started . In 2019, part of the FIDO specifications were included in web standards (established by the W3 Consortium), while several products (from Google and Microsoft in particular) became compatible with the FIDO standard (Android 7 and above, Windows 10, in particular). In June 2020, the Alliance also launched two new working groups, one to study identity verification from selfies (especially in the case of devices lost by the user or stolen), the other focused on the Internet of Things (with the particular ambition of limiting the marketing of devices with "default passwords", a poorly secure solution if there is one).
Authenticate without centralizing
So, will we ever see a world without passwords? Not so fast. “ In the short or medium term, we will not be able to eliminate passwords; they will remain essential for a long time to come, ” considers Christelle André-Pons.
In particular, biometrics is, to date, only a stage which does not change the fundamentals. Fingerprint sensors and / or facial recognition have become widespread on smartphones and laptops (from 2013 for fingerprints, in 2017 for faces), but they do not solve anything for the moment: on current devices, biometric identification is a simple workaround, which is superimposed on the password. If you can always hack a smartphone by cracking its main password, the fact of including a biometric identification simplifies the user's life, but in no way increases security.
"In fact, security systems must be made more complex, in order to achieve strong authentication" , explains Christelle André-Pons, in particular by using " biometrics or other systems such as electronic certificates, which will act as so many overlays in the words of past. The general idea is to guarantee safety through combinations. We speak of MFA, or “multi-factor authentication”: security is not guaranteed by a single component but by several, for example password + fingerprint + certificate, combined to guarantee correct identification. Each of the components is vulnerable in isolation, but their combination is much less so ”.
Moreover, the generalization of biometric identification raises other problems. “ We must avoid centralization and the creation of large files storing biometric information, which is extremely sensitive data. The scope of theft of fingerprint templates, allowing a hacker to truly impersonate, is considerable. We are well beyond the risk, already serious, of usurpation of the name and the Social Security number… ” , warns Christelle André-Pons, who adds that“ biometric templates should always be kept on the user side ” .
"The problems appear when biometric data is stored in centralized databases" , also judged Andrew Shikiar, general manager of the Alliance FIDO, in September 2020 on the site Venture Beat . And to conclude: " Store biometric data on the user's device (and never let it leave) and enforce tamper-proof proof of possession of that device, then the threat of a global biometric security breach will be gone." ".
Prepare for the future
In France, the government is currently testing Alicem (Certified online authentication on mobile), the use of which was approved by decree in May 2019. This solution could be deployed in mid-2021 to allow users, by facial recognition, to s 'identify on most online utilities.
"If we allow biometric recognition on a large scale and in a systematic way, we risk infringing on individual freedom"
Christelle André-Pons, cybersecurity consultant at Sogeti
“We are moving towards a world where the user is recognized wherever he / she goes. The technologies exist and are ready. But he supervises them and does not systematize them too quickly. We will have to target places where identification is absolutely necessary and rely on the gendarmes for our personal data, such as the CNIL in France. If we allow biometric recognition on a large scale and in a systematic way, we risk infringing on individual freedom. », note Christelle André Pons.
Without forgetting the context of a major evolution of the computing paradigm, while many experts are already announcing “the end of the digital era”: “ Quantum computing is here and we must prepare for it. These computers will considerably weaken the protection systems and make the current encryption algorithms very vulnerable. We must be concerned about it today to anticipate the threat, ” recalls Christelle André-Pons. Work is progressing well on the subject, in particular to assess the potential impact of quantum computing on encryption, which today secures all systems. In the United States, the National Institute of Standards and Technology (NIST) published in January 2019 a list of 26 algorithms candidates to replace existing encryption protocols to protect electronic data in the age of quantum computers.
In the shorter term, the designers of future personal identification systems must take up a multifaceted challenge: guaranteeing an increasingly high level of security (required by the increased expertise of hackers but also by the generalization of more data). more personal), offer a user experience that remains simple and user-friendly (which passwords have long since ceased to be), but also respect and preserve the privacy of citizens (well beyond the GDPR ).
Autrement dit, ce qui n’était à l’origine, il y a soixante ans, qu’un procédé basique pour s’identifier sur un ordinateur, devient aujourd’hui une problématique complexe, à la fois technique, économique et sociétale.