Why are people still using usernames/passwords for identification?
18/01/2021 by Velipetteri Lehto
The combination of username/password is over 50 years old method for identification – why are we still using it today, when there are many superior solutions available?
Passwords are Ancient Technology
Login failed, please check your username and password. Login failed, please check your username and password. Login failed, please check…
Every one of us has experienced this frustrating situation. With the rapid development of technology and global digitalization, a growing portion of our daily actions are happening in ways which require registration and logging in to a certain service. For most people, this also applies for working.
During a typical workday, we are constantly logging in to various services and platforms such as e-mail accounts, CRMs, ERPs, etc. To get access to any of these, identification is required from the user. To this day, the most common method for identification is still the combination of a personal username and password.
The combination of username and password as a method of identification has been around for over 50 years. During this time, technology has developed with accelerating pace, so it seems strange that we still use this ancient relic of identification methods on a daily basis. Using usernames and passwords would be easier to justify if the method offered a pleasant user experience or high level of security – but it doesn’t do either of these.
To be even somewhat secure of a method, the passwords used by a person would have to be structurally strong, and the same credentials should not be used in multiple locations. The fact that the average number of passwords for a single person has risen from tens to over a hundred, makes this kind of inconvenient. Not many people want, or are even able to remember hundreds of unique usernames and passwords. When there are many far superior ways for identification available, wouldn’t it be a high time to let the good old username/password retire at last?
Password Management Software
Password Management Software are a popular method of getting rid of having to remember numerous usernames and passwords by heart. This type of software stores a user’s passwords in an encrypted database. The user can then access all the stored passwords by using a single master password. Some Password Management Software work on a single device, but most of them utilize cloud technology to store the passwords, enabling access to the stored information with any device in case the original device breaks down or is lost.
Password Management Software offers great benefits for their users, but they also have significant downsides. Many of these software offer a free-to-use version, but these often come with limitations regarding the number of stored passwords for example. In most cases, to gain full access to all the properties, the user has to pull out a credit card and subscribe to a monthly payment plan. Even with the full versions, the usage of a single software to store all your passwords isn’t always possible. Many companies strictly define which software its employees must use in work-related password management.
So, in the end you still have to remember multiple passwords in order to not having to do so. Another thing to consider when using Password Management Software is the security – in the case of a security breach, large amounts of personal identification data can end up in the wrong hands at once.
Many internet browsers and e.g. Apple’s operating systems offer password managers as a built-in property, but the use of these solutions is usually limited to that specific platform only. The most popular universal Password Management Software include LastPass, KeePass, 1Password and Dashlane for example.
Another popular method to use instead of just the traditional username/password combinations is Multi Factor Authentication (MFA). When using MFA, the user has to provide another way of identification evidence in addition to a username and password to be granted access. The additional way of identification can be a physical object only the user possesses, or a one-time security token generated by a smartphone application for example. Using MFA eliminates the possibility of unauthorized use with username and password alone, thus providing added security.
The downside of MFA is the poor user experience – the identification takes a lot more time, and the user always has to have the additional identification evidence with him. In case the object used for identification is lost, or the battery of the user’s smartphone dies out for example, logging in is not possible.
The third alternative method for replacing the numerous usernames and passwords is to use AD Authentication (Active Directory Authentication), which is a technology based on OAuth 2.0 Open Standard. To put it simply, AD Authentication is a service, which stores the identification and access information of an organization in a single database.
When using AD Authentication, the user does not communicate directly with a service while logging in – the communication happens through a trusted third party called Key Distributor center (KDC). The KDC utilizes a combination of short- and long-term Security Keys to verify the identity of both parties (the User and the Service) before allowing them to connect. In addition to a high level of security, AD Authentication also provides an improved user experience with a feature called Single-Sign-On (SSO). SSO utilizes AD Authentication technology so, that the user only has to log in to the service once – after the initial login, the user is granted access to several different locations and services without having to provide identification again.
Bluugo’s Tracking Cloud™ platform has a built-in API for Microsoft’s popular Azure AD service. This makes logging in to Tracking Cloud™ fast, easy and secure by utilizing the authentication service already used by numerous companies – no need for another password!
Earlier this year, the World Wide Web Consortium (W3C) formally promoted WebAuthn (short for Web Authentication) API to the title of Official Web Standard for identification. The goal of WebAuthn is to replace the use of traditional username/password combination in web environments by allowing web pages to communicate directly with devices used for identification. Identification methods supported by WebAuthn are for example USB FIDO-keys and biometric identification methods such as fingerprint identification. Most web browsers, including Chrome, Firefox, Edge and Safari, are already supporting the WebAuthn API and the rest will follow soon.
WebAuthn makes identification much more user-friendly – the process only takes a couple of seconds and the user doesn’t have to type in usernames or passwords. The level of security is also on a totally different level than with the traditional username/password combination: WebAuthn utilizes asymmetric Public/Private Key technology, which means that the user does not hand over his identification information directly to the service in question at any point. This greatly increases security against data breaches and phishing, which have been on the rise for the past couple of years.
Bluugo’s Tracking Cloud™ platform supports the WebAuthn API, making logging in to the service fast, easy and secure utilizing fingerprint identification. The benefits of fingerprint login are highlighted especially when Tracking Cloud™ is used with mobile devices – field personnel can easily log in to the system without having to type usernames or passwords, which can be very frustrating with the small keypads of smartphones. In order to avoid having to type in their usernames and passwords repeatedly, people are often tempted to save their credentials on the smart phone’s memory. This is a bad practice that can lead to serious security hazards in case the device is lost. With WebAuthn Fingerprint Identification, logging in to Tracking Cloud™ only takes a few seconds while making unauthorized use extremely difficult.
FaceID Facial Recognition
The newest addition to the identification technologies supported by Tracking Cloud™ is Apple’s FaceID facial recognition. The support for FaceID in WebAuthn authentication was added in the latest version of Apple’s Safari browser.
FaceID enables identification and logging in to Tracking Cloud™ by simply looking into the front camera of your device briefly, without the need for usernames, passwords or traditional multi-factor authentication (MFA) methods.
“The technology that enables Face ID is some of the most advanced hardware and software that we’ve ever created. The TrueDepth camera captures accurate face data by projecting and analyzing over 30,000 invisible dots to create a depth map of your face and also captures an infrared image of your face. A portion of the neural engine of the A11, A12 Bionic, A12X Bionic, and A13 Bionic chip — protected within the Secure Enclave — transforms the depth map and infrared image into a mathematical representation and compares that representation to the enrolled facial data.”
The benefits of facial recognition identification are mostly the same as with fingerprint identification and are highlighted especially when used in field work environments and mobile devices. The identification is lightning-fast, highly secure and effectively prevents the misuse of a lost or stolen device.
Want To Know More?
Check out the video below to see how fast & easy logging in to Tracking Cloud™ is using the WebAuthn Fingerprint Identification. If you want hear more about our solutions, fill in your contact information or give us a call – we’re happy to tell you more.
This blog was originally published in 16.05.2019. Edited on 18.01.2021.