If somebody’s personal device can recognize its user, and authenticate them securely to a remote resource, passwords can become a thing of the past.
These were the words of Google’s Christiaan Brand speaking at the Gartner Security & Risk Management Summit in London this week.
He explained that the simple reality is even the more sophisticated authentication techniques (two-step verification, for example) that rely on the use of one-time passwords are still susceptible to real security issues, because they are phishable.
“If someone can phish you for your username and password, they can also phish you for your one-time password,” Brand argued.
So what’s the answer? Brand thinks it lies with security keys.
“Security keys were specifically designed to address the issues with one-time password-based two-step verification,” he said. “These devices act in such a way that they are inherently safe against phishing attacks."
So, why are we not there yet? What’s holding us back from getting rid of passwords once and for all and implementing security keys in the mainstream?
For Brand, this comes down to three main hurdles that are yet to be fully addressed across the industry:
Does it work for mobile?
How do we deploy at scale?
What if the key is lost?
"These are all questions we have to answer", he concluded.