[세계 비밀번호의 날] Get rid of all passwords now

World Password Day is celebrated on the first Thursday of May every year. World Password Day is a celebration that began in 2013 under the leadership of Intel Corporation and was created to raise awareness of the importance of strong passwords in protecting various services and digital devices.

According to Intel, for the past 60 years, passwords have been used as an analog method for users to authenticate usage rights across various devices and services. You can use these passwords to unlock your smartphone or log in to portal sites, as well as to access critical business systems.

But the security industry says passwords are no longer secure. Hackers use phishing or information-stealing emails to crack passwords that target user IDs and passwords. In addition, hacking techniques such as brute force attacks that randomly enter IDs and passwords and dictionary replacement attacks that sequentially enter predefined strings are also automated. According to Microsoft, password attacks have doubled in the past 12 months, with 921 attacks occurring every second.

To combat these attacks, it is recommended to use passwords that combine upper and lower case letters, numbers and special characters, but many users create passwords in the form of adding numbers and exclamation marks only to simple sentences, because they are difficult to memorize. Ironically, a complex password to strengthen security makes the password weaker.

In particular, leaked usernames and passwords are circulating on the dark web, and hackers who have obtained them attempt to log in by typing in various combinations of usernames and passwords. This is called a credential stuffing attack. If the user uses the same username and password for other services, even if one service is detected, many other services can be hacked.

According to Apple, password-only authentication is one of the biggest security issues in the Internet environment, and users often use the same password across online services due to the difficulty of managing multiple Passwords. These practices lead to account takeovers, data breaches, and even identity theft.

Threat intelligence firm Mandiant has recommended multi-factor authentication (MFA) as a way to protect passwords. Multi-factor authentication or two-factor authentication (2FA) is a security technology that uses means other than initial authentication via a username and password to perform additional authentication.

In the authentication security industry, authentication methods are broadly divided into knowledge-based, proprietary, and resource-based authentication. Knowledge-based authentication refers to an authentication method using already known information such as logins, passwords, and patterns that we normally use.

Ownership-based authentication is an additional authentication method using a user-owned device. A typical method is to run an application (hereinafter referred to as an application) installed on a smartphone to authenticate during login or to enter a six-digit code received by SMS.

Resource-based authentication uses a user’s biometric properties for authentication, and fingerprint or facial recognition is typical. In the case of facial recognition, in the past there have been cases where it was not possible to distinguish an image from a real face, but recently a way to increase the recognition accuracy at the using a 3D camera or an infrared sensor with the camera has been widely used. .

The popularity of smartphones has made this method of authentication easier to use. The smartphone’s built-in camera or biometric sensor can be used for authentication. In particular, the two-step authentication associated with an authentication application installed on a smartphone can use both knowledge-based, proprietary and resource-based authentication.

Apple, Google and Microsoft announced on May 5 (local time) that they are expanding support for the passwordless login technology standard developed by the FIDO Alliance. With this technology, users can easily log in by entering a long and complex password once and then without entering an additional password using an authenticator app or similar. For example, when logging in, you can launch the app and enter the QR code that appears on your computer screen, or you can easily log in by recognizing your fingerprint in the app when logging in.

All three companies will be able to connect to their apps and services in the future, regardless of device, platform or web browser. For example, you can log in to the Google Chrome browser running on Windows through an authenticator app installed on the iPhone.

This built-in authentication feature is expected to be introduced early next year. Microsoft expects this type of connection to provide users with a secure and consistent authentication experience.

“A complete transition to a passwordless world starts with users naturally accepting passwords as part of their lives,” said Alex Simmons, vice president of authentication program management at Microsoft. , which has made significant progress in removing passwords. . FIDO-based credentials will be widely used by consumers and business customers. »

“This collaboration is an industry-wide vision to improve online user protection and eliminate outdated password-based authentication methods,” said Mark Richer, senior director of product management. at Google and the FIDO Alliance. FIDO Explains- Cross-platform technology including Chrome, Chrome OS, and Android is actively used and offered by app and website developers, and users around the world are aware of the dangers of passwords . We hope you can safely escape the inconvenience.