22.10.2019 Artikel in LANline von Stephan Schweizer
Username and password are neither timely nor secure as a means of authenticating online users. This is shown by the increasing number of successful attacks on user accounts. The desire for user-friendly and secure authentication is fulfilled by approaches that do not require passwords. This is the case with authentication procedures based on the FIDO standard.
To protect access to cloud applications and online services, users usually log on by entering a user name, such as an e-mail address, and a password. In Chapter M 2.11 of the IT-Grundschutz catalogues, the BSI recommends passwords that consist of at least eight characters and contain uppercase letters, lowercase letters, special characters and numbers. But the procedure is considered outdated: Longer and more complicated passwords are required today. But it is practically impossible for users of numerous accounts to remember many complex passwords.
IT security experts recommend using phrases as long as possible, such as “His pet dragon drives an electric car and wears purple contact lenses,” or advise using a password safe. Such software often offers the option of automatically generating complex login strings. But many users still use simple passwords, as an evaluation by the Hasso Plattner Institute showed. According to the study, terms such as “12345” or even “123” were among the most frequently used passwords in 2018.
In its “2019 Data Breach Investigations Report”, the service provider Verizon states that logon data was stolen in around 30 percent of successful attacks. Hackers have also expanded their arsenal of attack methods. For example, they use credential stuffing. It is based on the fact that users often use the same or similar login data for several accounts. Once the attackers have obtained the credentials for a user account, they test on a large scale whether the user uses the same passwords or variations of them to log in to online services, web shops, banks, or corporate networks.
Multi-level security concept
Read on to learn how a multi-level security concept works that replaces passwords. The complete article (LANline special print “Passwords as a security risk” October 2019) is available here (German only, pdf, 772 KB).