The Future of User Authentication: Moving Beyond Passwords
In today's digital landscape, ensuring secure and reliable proof of identity is a team effort. It’s no secret that personal information and access to accounts are traded in criminal forums on the internet. In this light, the traditional way of protecting accounts with passwords appears insufficient - both in terms of user experience and reliability. According to our CTO and Security Officer Robert Hoffmann, there is a growing realization that service providers must respond to this threat by adopting a more robust and advanced approach. Qualified certificates backed by public-private key cryptography are a future-proof solution here, but the shift is slow and inconsistent.
The current state of password-based authentication
Older than the internet itself, passwords are a long-standing approach to authentication. The login process on most websites boils down to a pre-agreed username (or email address) and a secret string (the password) shared between the user and the website. In terms of security, passwords travel over the wire in hash form during login, and are also stored in web servers, but there’s still a possibility that they will be hacked.
In the modern world where security and usability must go hand in hand, password-based authentication is a massive pain point for everyone involved. “Ranging from multi-factor authentication to makeshift identity verification through utility bills, additional steps that service providers use to establish trust clearly show that passwords have reached their expiry date. Besides, right off the bat, there are two additional dealbreakers in terms of security here: password re-use and the fact that not all service providers use those additional steps. That creates a window for hackers, allowing them to access user accounts in high-security websites by hacking lower-security websites first,” Robert says.
Today, an average internet user has dozens of password-protected accounts, making it increasingly difficult to store and manage them safely. According to Robert, password managers are a good solution in terms of security here, but that comes at the expense of usability. “Even if we create safe passwords and implement a password manager, changes are inevitable. Devices break, get stolen or upgraded, and some service providers require users to change their password on a regular basis. Besides, most users have multiple devices at a time, which requires them to sync the password manager across each device as well. Maintaining security with this level of fluctuation requires an unnecessary amount of resources when there’s a clear alternative in sight,” Robert notes.
Qualified certificates are the future
Whereas mutually agreed user identities (password, username, etc.) can easily be impersonated, qualified certificates are readily backed by EU regulations and based on public-private key cryptography. “This authentication method is unmatched both in terms of user experience and security. Users onboard with a Trust Service Provider who verifies their identity and issues a private key. When a user interacts with a service provider, both sides have their private keys, and they agree – for this session and for this session only – on a shared secret encryption. That’s the session key, and it’s different for every interaction. Involving this type of cryptography in the authentication process guarantees a much higher level of security. The same applies to hacking - if a user gets their password-protected account stolen, getting it back is very complicated. But if the service provider supports certificate-based authentication based on eIDAS, users can easily recover their identity by re-onboarding through a trusted service provider,” Robert says.
Why is the shift taking so long?
The abundance of extra steps in password-based authentication clearly shows that larger service providers and government entities have already realized that passwords alone are insufficient. But according to Robert, there are many hurdles on the road to widespread adoption of qualified certificates. “User acceptance is one of the biggest challenges at this point. People are used to a user name–password system: I have this password that I created and only I know, meaning only I can log in, right? Compared to that, certificates and public-private key crypto sounds like magic - even if everybody from the IT side confirms that this is a more secure solution,” he says. Technical challenges should also not be overlooked here, especially because implementing certificate-based authentication requires resources that smaller industry players don’t yet have. That is clear because we still see some of them struggle with the proper implementation of even multi-factor authentication.
Another element of user resistance is the anonymity debate. Since qualified certificates represent real identities, these concerns are valid, but Robert also points out that sharing of private information is a crucial element in 99% of transactions either way. “I’m not saying that people are overvaluing anonymity – it’s very important. But in a business transaction, both sides must know each other. Even if you’re joe123, when you buy from a webshop they need to know where to deliver and who to charge the money from. Qualified certificates support safe exchange of information, and they top it off with a level of data security that passwords can’t guarantee,” notes our CTO and Security Officer.
Learn more