Cookie consent(s)
We use cookies to personalize content and ads, provide social media features, and analyze traffic. This is done only with your explicit consent. By clicking "ACCEPT ALL," you agree to the processing and sharing of your data with our partners for social media, advertising, and analytics, including in third countries in accordance with Art. 49(1)(a) GDPR and Art. 17(1)(a) FADP (Switzerland). There is a risk that your data may be monitored by authorities without legal recourse. You can change or revoke your consents at any time in the data privacy settings .
Data protection declaration | Legal notices
Settings

Cyber Security: The Two Keys to Greater Security

Author: Markus Strehlitz

Sep 18, 2024 Digitalization / Cyber Security

Password authentication involves risks and has become almost unmanageable for many users. But there are alternatives. Passkeys in particular offer more protection on the internet and are also user-friendly.

In our day-to-day life, we are confronted with a flood of passwords. It is not just when banking online or accessing the IT system at work that you have to authenticate yourself. Almost every online service and website you visit requires a login. And in the vast majority of cases, this is done in the traditional way: with a username and password. But as the number of passwords increases, so does the potential risk. Because this authentication concept has major weaknesses.
Often, people do not even follow the most important basic rules when dealing with passwords. Andy Schweiger, Senior Vice President for Global Cyber Security Services at DEKRA, explains what these rules are. “To be considered reasonably secure, passwords must be at least 16 characters long. And you should be using a different password for each account.” That makes one thing clear: “A password manager is essential for anyone juggling more than three accounts.”

Averting attacks from cyber criminals

But even if you follow these rules, password protection still offers a lot of weaknesses. In phishing, for example, cyber criminals try to obtain their victims’ access data by sending fake emails. These try to trick recipients into revealing their username and password.
But even with web services, sensitive information is not secure. Their databases can become the target of online attacks, leading to large amounts of access data falling into the hands of hackers. So-called brute force attacks pose a further threat: Hackers try all possible combinations until the correct password is found.

Two-factor authentication is secure, but complex

There are alternatives that can offer more security, however. These include two-factor authentication, as we know it from online banking. In addition to the password, another factor is required for authentication. This could be an additional one-time password generated by an app or a combination of numbers sent via text message. Access to the password alone is then no longer sufficient for criminals to gain access to the account. The disadvantage is that many smaller online services in particular do not yet offer such methods. On top of that, the registration process is somewhat more complex and time-consuming.
Multi-factor authentication involves a little more effort, but is also more secure. Here, additional factors are added when logging in. These could be biometric features, such as a fingerprint scan or facial recognition.
Biometric authentication on its own is also an alternative to password protection. After all, it is impossible to forget your physical characteristics and you always have them with you. But logging in with a fingerprint also involves risks, says Schweiger. “Theoretically, someone could copy a fingerprint that a user has left on their smartphone or another object and then use the replica to gain access to an account.”

No chance for phishing

This risk does not exist with passkey authentication, another alternative to the password concept. Here’s how it works: When registering or logging in to a service that supports passkeys, a key pair is created on the user’s device. The private key remains securely on this device – for example, a smartphone or computer. The public key is sent to the web service’s server. When the user wants to log in, the server sends an authentication request to the end device. The user approves the request using biometrics or the device PIN. The two keys can now be compared with each other and access is granted.
This method offers a whole range of advantages. There are no passwords, so they cannot be stolen. This means that phishing activities or data attacks pose no risk. The same applies to brute force attacks. In addition, passkeys are user-friendly because the user does not have to remember complicated passwords or deal with their administration. However, password managers can still be useful, for example by synchronizing passkeys across different devices.

New technologies take time

Major IT providers such as Apple, Google, and Microsoft already support passkeys. But beyond that, this method is not yet very widespread. Schweiger believes it always takes a certain amount of time for new technologies to become established. And both end users and companies are used to traditional password authentication.
The extent to which even more radical approaches, such as microchip implants or identification based on individual behavior patterns, could change authentication in the future is not yet foreseeable, says Schweiger. He believes that the use of passkeys is currently the most practical method.
The security expert recommends that companies look into this and other password alternatives. Companies can also receive support from DEKRA. The expert organization offers audits and risk assessments as well as employee training to educate about the risks of passwords and highlight the benefits of new technologies.
Show all articles