The Evolution of Cybersecurity: From Passwords to Passkeys to Limitless Protection
Passwords are a cybersecurity staple. Even those with little regard for cybersecurity will have encountered websites or accounts that require them to have a password – and for good reason. Passwords provide a vital first line of defence against any unauthorised access; from acquaintances you simply don’t want going through your laptop, to threat actors that shouldn’t have access to a privileged network. But the problem with any cybersecurity feature is that it has a shelf life. The threat landscape is constantly developing and, as such, cybersecurity measures need to change to keep up with the times. So, now in the year 2024, is the ‘age of the password’ coming to an end?
Humble Beginnings
The first recorded instance of a password can be found in the early 1960s when Fernando Corbató first presented the concept at MIT to secure their Compatible Time-Sharing System (CTSS). The idea at the time was simply to secure their research tool and restrict access to sensitive data – a fundamental use of passwords that we still recognise today. This basic approach and understanding of passwords prevailed for some time, but as computing power increased and the internet burst onto the scene, securing sensitive data became much more complex.
By the 1990s password-based security faced significant challenges, the most common of which being weak, reused passwords. Just like in the 21st century, the 90s were seeing an influx of users using basic, or easily guessed passwords across multiple sites, making them extremely vulnerable to cyber-attacks. Despite efforts from numerous bodies trying to encourage stronger password practices, the limitations of the password-based approach were becoming evident.
Even today, though many of us know what good password practice looks like, the logistics of remembering tens, or even hundreds of unique passwords (all of which should be non-dictionary words, be over 8 characters and include a number and a symbol!) for each aspect of our life is almost impossible. This is why reports around password use are so concerning, including that up to 65% of people use the same password for multiple accounts and that 23.2 million compromised accounts worldwide used 123456 as a password…
Enter Multi-Factor Authentication
To address the shortcomings of password-only security, the concept of multi-factor authentication (MFA) emerged. MFA introduced additional layers of security, requiring users to provide multiple forms of verification, such as something they know (password), something they have (smartphone), or something they are (fingerprint).
MFA significantly improved security by making it more difficult for attackers to gain unauthorised access. However, it is not without its shortcomings. Just like with passwords, one of the biggest challenges that arises with MFA is people. As secure as it can be, MFA introduces complexities and friction for users who have to navigate additional steps to access their accounts. We all know that internal sigh we let out when you’re trying to log into an account and it pops up with “we’ve sent a code to +44 XXX XXX XXXX”.
So, although MFA is a critical component of modern cybersecurity, the search for more seamless yet secure solutions continues.
Passkeys: The Next Generation of Authentication
This is where passkeys enter the conversation. The term has been around for a little while now and although it hasn’t yet seen the widespread adoption that MFA has, big names in tech, such as Apple, have announced their intention to do away with passwords and adopt a passkey-only approach.
Unlike MFA, passkeys do not attempt to add additional layers of security onto passwords, they instead seek to completely replace them. Instead of memorising and managing a litany of passwords, users can authenticate themselves using a device they already have, such as a smartphone or a USB stick. Passkeys offer a much more user-friendly approach to security while maintaining a high level of protection. It not only eliminates a lot of the friction and room for user error that passwords and MFA create, but it also mitigates the risk of phishing, man-in-the-middle attacks, and other common threats associated with traditional password systems.
As passkeys gain traction, businesses will need to adapt to this new approach and ensure their systems are compatible and that users are educated about the benefits and usage of this technology.
Towards Limitless Protection
Right now, the future looks bright for passkeys, but cybersecurity is not a stagnant concept. The back and forth between threat actors and security teams will no doubt continue on into the next generation, long after passkeys become obsolete.
It’s impossible to say what will follow, but we can expect the rise of AI and ML to play a vital role in the future of authentication. Additionally, biometric authentication, including fingerprint, facial recognition, and retina scans, is becoming more prevalent. These methods provide a high level of security by relying on unique biological traits that are difficult to replicate. As biometric technology advances, it will become an integral part of multi-layered cybersecurity strategies.
The evolution of cybersecurity from passwords to passkeys and towards limitless protection is a testament to the relentless pursuit of securing our digital world. At Touchdown, we are lucky to work with some incredible businesses right on the front line of this world and help them establish themselves as leaders in the field.