Authentication on PCs: Recommendations from Security Experts

Authentication is an important part of working on a computer, whether logging on, opening encrypted data or using web services like PayPal. Usernames and passwords still play an important role, even if many experts advise against using passwords as the only authentication method. Even approaches to passwords have changed over time. Until recently, experts recommended choosing complex passwords using special characters, numbers and uppercase and lowercase letters. However, many professionals now consider that complex passwords are inconvenient for users, especially if they must be changed frequently. Phrases such as a quote from a book or a sentence which is relevant to the log-in context are more meaningful for users. Such phrases can easily reach more than 20 characters and are nevertheless much easier to remember than complex, eight-letter combinations of letters and numbers.

While one or two complex passwords can still be memorized, most users cannot remember more than ten different passwords. In principle, a sufficiently strong password combined with a password manager is a good solution for most users. Password managers such as KeePass can handle an unlimited number of accounts, along with passwords and other relevant information. They can even enter stored passwords automatically in many applications. Using a password manager takes the hassle out of keeping track of many accounts, especially for people who find it difficult to remember passwords.

Many password-protected accounts also use security questions for additional protection. Examples of security questions include the make of a user’s first car, mother’s maiden name or pet’s name. With such information being potentially discoverable through social media accounts, it is better for users to suggest their own questions or deliberately provide a false answer. To deter social engineering attacks, users can enter another day for their date of birth or make up the name of their pet. Two-factor authentication is an even better solution. Services such as Google Authenticate use an app linked to the desired account to provide another code when logging in. In this way, access data are still secure even if the username and password have been stolen. Increasingly, service providers are using more complex authentication processes, such as entering a PIN code sent by SMS, or an additional e-mail with a confirmation link, if the registration is made from a new device or from abroad.

Biometric authentication has been considered as the gold standard of authentication for several years and it is sometimes difficult to believe that we are still relying on passwords for authentication. However, to date, hackers have always found relatively easy ways to copy the commonly used biometric features. Fingerprints, iris scanners, facial recognition, and speech analysis are either too easy to circumvent or too expensive for wide-spread use. Well-intentioned approaches often also turn out to be flawed. The face recognition feature of the new Apple iPhone, Face ID, is supposed to recognize the user’s face extremely reliably. But what if a thief or a police officer holds the device up to the owner’s face? The Face ID function can be switched off which may help if a user fears arrest or another compromising situation but it is then no longer a useful theft prevention measure.

One thing is clear: Passwords are technically obsolete but still necessary at the moment. Current adaptations can be made with minimal effort to ensure that passwords are still a secure method of authentication in the medium term.