Frankfurt, San Francisco, Hamburg A man sits in a boat, controlled by death himself. The Grim Reaper gives him one last chance: To get to paradise, all he has to do is give his online password. This does not occur to the passenger, and he only answers the safety questions halfway correctly – and ends up in hell.
The TV commercial from US tech company Dashlane is funny – and hits a nerve. On average, every person would have to remember 100 passwords, according to security experts. And the trend is rising: Before the pandemic, there were 70 to 80 passwords, their number went through the roof through the home office and increased digitalization.
Now Microsoft has announced a new technology that should help. Users of the Outlook e-mail program or the OneDrive storage service will soon only be able to control their access with an authentication app or a biometric feature such as their face or a fingerprint. If you wish, you can do without a password entirely. “Nobody likes passwords,” said Vasu Jakkal, Microsoft’s vice president for cybersecurity. “They’re cumbersome and they’re a major target for hacker attacks.”
Apple and Cisco are also working on abolishing the password. They are driven by customers who want more security and lower costs – and by innovative pressure from start-ups such as Transmit Security from the USA or the Net-ID initiative in Germany. “The password will disappear in the next three to five years,” says Chuck Robbins, head of the world’s largest network equipment company Cisco.
Top jobs of the day
Find the best jobs now and
be notified by email.
However, there is a strong argument in favor of the traditional password: the convenience of the customer. They want to log in as quickly and easily as possible and not via complicated new paths. Online shops have to weigh the risk of fraud against the often higher risk of scaring off their customers. For the same reasons, banks are also trying to use new security procedures as sparingly as possible.
Password theft is booming
Corona is a godsend for cybercriminals. Employees are increasingly dialing into the intranet from their home WLAN. The number of “end points”, as every laptop and smartphone with access to the company network is called in technical German, has increased exponentially.
Important information that a boss previously only asked behind the closed office door is now exchanged by email. The risk of mistaking a spam email for a real one is significantly higher. And if an employee reacts to a friendly “My access doesn’t work, send me yours quickly”, it is not only the company that threatens a lot of trouble.
In its report on cybercrime for 2020, the Federal Criminal Police Office (BKA) counts around 17 percent more spam emails than in 2018, which were also intended to be used to steal passwords.
Apparently with success: According to the security service Digital Shadows, 15 billion passwords from 100,000 different password leaks are being offered for sale on the Darknet. Around a third of these are “unique” – that is, they have not yet been used.
Password theft is worth it for the hackers. The British security software company Sophos estimates that the average damage caused by such attacks to companies has more than doubled from $ 761,000 in 2019 to $ 1.85 million.
Safe, but complicated
So far, computer systems have made binary decisions about whether access is granted. If you know the correct password, you can enter. Who doesn’t, don’t. This has led to experts recommending longer and longer passwords with lower and upper case letters, numbers and special characters instead of the still popular password “password” or “12345”.
Most people find it difficult to remember long, meaningless chains of characters – and they don’t protect their company’s IT systems particularly well, says Jeetu Patel, Cisco’s senior vice president for security: “The most insecure system is a very secure system that is too complicated. “
Instead, Cisco wants to continuously evaluate the behavior of users. Access is then granted on the basis of typical usage patterns instead of just a password – similar to how banks stop unusual transfers even if the correct PIN code has been entered.
Patel’s boss Chuck Robbins talks about a project that Cisco is currently carrying out with government organizations. Different data points would be analyzed by the mobile device of a user like usual login locations.
Google or Apple already require two-factor authentication in their e-mail programs, especially if the log-in takes place from an unusual location or device. However, this is still often based on typing characters into a keyboard.
Save the cost of resetting passwords
Transmit, based in Boston, promises a new level of security and speed. The start-up is currently causing a stir in the scene, it was able to secure well-known corporations such as the banks UBS and Santander or the US hardware store chain Lowe’s as customers – and with 2.3 billion dollars, a record valuation among venture capitalists.
Transmit wants to replace passwords with the use of biometrics and a cryptographic system. This means that neither passwords that a user negligently gives away nor hacks from company servers could cause damage – not a single element is sufficient to decrypt data. According to Transmit, his method reduces the time it takes to authenticate the customer from one minute to two seconds.
The technology almost eliminates the need to reset user accounts, the start-up claims. This is a particular advantage in the business environment: According to experts in many companies, it costs 25 to 75 dollars to have the password reset once via the IT department. According to the market researcher Forrester, this adds up to a billion dollars in some US corporations.
It is not security that counts, but convenience
However, there is a problem with passwordless procedures: too many buyers would cancel the order process if they first had to sign up in a complicated manner. Achim Schlosser, interim manager at NetID, knows that too.
The German foundation from Montabaur wants to create a uniform European log-in for many websites – as an alternative to the data-hungry alternatives from Facebook and Google. This is why RTL Deutschland, Pro Sieben Sat 1 and United Internet founded the foundation in 2018.
Biometric methods offer a higher level of security. The majority of users are not interested in this, but rather in greater convenience. According to Schlosser, almost all cell phone users rely on fingerprints or Face ID not because of the higher security, but because of their speed and simplicity.
Schlosser, however, does not believe in the end of passwords. “In the mix of options, secure passwords make sense in the long term,” he says – also as reassurance if, for example, the fingerprint does not work. Otherwise, things get complicated – for example, when bank customers have to wait several days for a letter to reset their account. This is hardly conceivable in e-commerce. “We don’t just want a solution for the one percent of users who are familiar with IT security,” says Schlosser.
In return, Schlosser hopes that standards will become more established. While fingerprint and Face ID are already mostly used on smartphones, the fingerprint reader on PC is still a marginal existence.
NetID is currently also working on a higher security standard in order to make uniform access usable for insurance companies and banks in the future. “This is a very relevant topic for us,” says Schlosser.
Fear of abandoning the purchase
When it comes to banking, regulators enforce a complicated procedure. For six months now, stricter rules have also applied to online purchases by credit card. They stipulate that customers have to release the payments again separately – with a kind of one-time password. Now it turns out that most credit card payments are still processed without an identity confirmation. According to financial circles, it is up to 80 percent of transactions.
The main reason for this: banks that issue credit cards and online shops that receive payments can dispense with proof of identity as an additional security factor. Instead, you analyze the risk of fraud yourself and are also responsible for possible failures. To do this, they use what is known as a transaction risk analysis, which assesses the likelihood of fraud.
The analysis includes data such as the IP address of the customer, the number of the device used, the browser type, the purchase price and the frequency of online purchases. “The more data banks and retailers collect, the better the risk models”, says Bernd Richter, banking expert at IT consultant FIS. There are also exceptions for small purchase sums.
The trade had previously feared that customers will cancel their purchases en masse in view of the new regulation. The start of the preset has even been postponed. The new rules were originally supposed to have been in effect for two years, and then came into force gradually from the beginning of 2021.
The German financial supervisory authority Bafin confirms that the transaction risk analysis is “very widespread” among German credit institutions. However, it cannot provide specific information on the application. Both savings banks and cooperative banks, which together cover the majority of German private customer business, use the risk analysis.
Fraud and convenience – these are the tradeoffs that many companies face. But one thing is clear: “A completely password-free world will not exist anytime soon”, GMX boss Jan Oetjen is certain.
More: How cyber criminals are taking advantage of the home office trend