Author: Ingolf Rauh

A Password-Free Future: Enhancing Security and Convenience

Logins with usernames and passwords are not only inconvenient but also pose risks. Cybercriminals primarily rely on phishing and social engineering to steal login credentials. Therefore, it is crucial to introduce user-friendly and secure alternatives, according to Ingolf Rauh, Head of Product and Innovation Management at Swisscom Trust Services.

 

In the field of data security and privacy, there are constant advancements. The European Commission recently extended the recognition of Swiss data protection laws as equivalent to GDPR. This ensures that data transfer between Switzerland and EU countries can continue freely, and citizens can trust that the transmission of personal data is subject to appropriate data protection laws.

Despite efforts to enhance cybersecurity and protect personal data, familiar dangers lurk online. Passwords remain one of the most significant vulnerabilities criminals exploit to access sensitive information. Phishing and social engineering, in particular, remain severe threats as they provide cybercriminals with the easiest way to compromise user accounts. Data thefts like these account for approximately 40 percent of cyberattacks, possibly because phishing and social engineering do not require significant IT knowledge, making cybercrime accessible to almost anyone.

Despite experts repeatedly emphasizing the characteristics of secure passwords, such as length and regular changes, and not reusing them, their advice is often brushed aside. Many users still choose simple passwords for convenience, which do not meet security requirements. Consequently, the traditional password system and its shortcomings often cause cyber incidents.

It is time for new and innovative internet user verification approaches. There is a demand for concepts that are not easily compromised and can be used securely and efficiently by users. The FIDO Alliance has advocated for this since 2013, working towards a password-less future. They see the alternative to usernames and passwords in asymmetric cryptography, where users verify their identity through a private key stored on a device. This can be a USB stick or even the hardware of a smartphone. During authentication, the key does not leave the device. Instead, a challenge is sent to the corresponding device, which can only be solved using the private key, thus proving the user's identity. This approach makes the method particularly secure.

However, for this to work effectively, the initial identification of the user is crucial. It must be guaranteed that the stated person is indeed behind the private key. BankIdent or AI-supported video identification can be used as an efficient and user-friendly method.

Additionally, the comprehensive Self-Sovereign Identity (SSI) concept is worth considering. With SSI, users can create a digital representation of their identity in a decentralized wallet and use it for indisputable identification in the digital space. This means they do not have to create separate user accounts for every online shop and can even carry out the payment process through their digital identity. This dramatically simplifies life in a digitized world in many ways.

Therefore, there is no reason not to bid farewell to passwords once and for all by 2024.