Andrew Shikiar, Executive Director, FIDO Alliance
The 1st of August is World Wide Web Day, where we celebrate the internet and the wealth of benefits it has brought to our lives. From connecting people around the world to driving commerce and bringing information to our fingertips, the web has made life easier and more convenient for billions worldwide. However, as we commemorate World Wide Web Day, we must also remember our responsibility to strive to keep the internet safe and secure for all so that we may continue to reap value from it for years to come.
Today, many websites still rely on passwords for authentication. At the core of the problem, passwords are not secure. Knowledge-based credentials such as passwords are human-readable and can be hacked, stolen, and manipulated by cybercriminals through methods like phishing, credential stuffing, or sheer brute force. Users’ poor cybersecurity practices further exacerbate this issue. For example, a study by Princeton University revealed that 75% of the world’s most popular English-language websites still allow people to choose the most common passwords such as “abc123456” and “P@$$w0rd”.
For an added layer of security, many organisations have adopted multi-factor authentication (MFA), such as SMS OTP. While this is certainly better than passwords alone, OTPs share a common trait with passwords: they are knowledge-based “secrets” that can be pried out of users’ hands by enterprising hackers. For example, techniques like SIM swapping allow hackers to get the SMS OTP sent to their phones instead of the intended recipients.
Hence, as the internet grows more sophisticated, so must its authentication methods to effectively address today’s online threats. Cryptographically secure, possession-based authentication needs to be the preferred path forward, including on-device biometrics or physical security keys that are resistant to remote attacks.
Open industry bodies such as the FIDO Alliance and the World Wide Web Consortium (W3C) have standardised such authentication technologies over the past years, resulting in support for these modern authentication solutions in virtually every leading web browser, device, and operating system. Through these efforts, we aim to continue to guard the World Wide Web against threats and keep it secure.