Can Singapore become a password-free nation?
(Baonghean.vn) - No password is becoming a trend in countries around the world today. However, changing the mindset of users to trust passwordless verification methods is difficult. Many people still feel that passwords give them a sense of security.
Cybercriminals are becoming increasingly adept at stealing users' passwords. In fact, Brute Force attacks, a password cracking technique used by cybercriminals to crack weak passwords, have raised alarm bells for users.
Accordingly, a study shows that hackers can try 2.18 trillion password/username combinations in 22 seconds and if the password is simple, the account can be easily stolen. Another method that cybercriminals often use to steal user information is Credential stuffing, which means hackers will use leaked accounts and passwords to gain unauthorized access to user accounts through automated and widespread login requests.
In Southeast Asia, a report by Russian security software manufacturer and distributor Kaspersky showed that there were 47.8 million attacks targeting remote workers from January to June 2022, which means an average of about 265,000 attacks occurring every day.
Singapore, in particular, has seen a rise in such attacks. These include the phishing campaigns that OCBC Bank customers fell victim to last year, which cost victims more than S$8.5 million. Following the outbreak, authorities introduced new security measures including a ban on links in banking emails and SMS.
More recently, there has been an increase in unauthorized charges on debit and credit cards in the island nation. According to The Straits Times (Singapore), many unauthorized transactions have been reported. The Cyber Security Agency of Singapore stated that these small transactions may be used by cybercriminals to test or authenticate debit and credit card details before making larger transactions, and they advised consumers to set alerts for such transactions on their accounts.
Another recent cyber attack in Singapore involved national broadcaster Mediacorp. Reports indicate that around 14,000 users of Mediacorp’s meconnect account had to reset their passwords after their accounts were discovered to have been accessed by an unknown external party. These credentials were used to access Mediacorp services such as the meWatch streaming platform. Mediacorp has notified all affected account holders of the issue and reset their passwords.
Is it time to kill passwords?
According to David Hope, Senior Vice President of Asia-Pacific and Japan at San Francisco-based multinational identity and access management software company ForgeRock, the recent surge in unauthorized credit card charges and debits has highlighted the vulnerabilities associated with traditional password-based authentication systems. Therefore, Vice President David Hope believes that it is more important than ever to adopt passwordless solutions to ensure better safety and security.
“Digital identities are central to how we securely access services like online banking and retail. This shift, coupled with the amount of personal information used to access those services, has provided a larger digital surface area for cybercriminals to exploit. To optimize easy security and mitigate these cyber risks, organizations need to move away from passwords. They must embed smarter authentication and verification measures in their technology ecosystems to protect themselves and their users from fraud, while ensuring potential threats are easily identified,” said David Hope.
Passwordless authentication and other AI-driven threat protection solutions create more precise security measures to protect digital identities. Through this approach, organizations in Singapore can better navigate the growing number of attacks, improve user experience, reduce operational inefficiencies, and save costs from routine password resets.
“As Singapore continues to lead the way in digitalisation across the region, the need for secure access and authorised authentication will continue to grow and organisations must focus on improving their systems today to future-proof their competitive edge and protect their users,” added Mr David Hope.
What does passwordless authentication mean?
Passwordless authentication is considered the best method today to verify user identity without using passwords. Instead, passwordless methods use more secure alternatives such as biometrics.
To work, the authentication data (usually a biometric fingerprint or facial recognition) needs to match the data stored in a database. If biometrics are not available, a passcode or multi-factor authentication via a personal device can be used.
Multi-factor authentication on personal devices has been implemented by a number of financial service providers, whereby the user's identity is confirmed through fingerprint or retina scan on a mobile device.
To address this trend, the FIDO (Fast IDentity Online) Alliance was created to promote open authentication standards and reduce the use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the WebAuthn web authentication standard. FIDO allows users and organizations to leverage databases to log in to resources without the need for usernames, passwords, or application keys built into the device.
The challenges of going passwordless
Going passwordless presents a number of challenges that need to be addressed for a successful implementation. The most important of these is user adoption and habituation. As mentioned above, the shift from passwords to passwordless can be confusing for some users, especially older generations who are used to using passwords to log into applications.
Introducing new authentication methods can require a change in user mindsets to gain widespread adoption. Additionally, implementing passwordless solutions often requires significant changes to existing systems and infrastructure. Compatibility issues can arise when integrating with legacy systems designed to work with passwords, which can hinder the adoption of passwordless methods.
Passwordless authentication methods must also prioritize a seamless user experience while ensuring accessibility for users with disabilities. Balancing security requirements with ease of use and meeting the diverse needs of users can be challenging.
Another challenge is the process of recovering and managing accounts, which will be completely different. Instead of simply resetting passwords, organizations will need to develop alternative mechanisms for users to regain access to their accounts in the event of a lost device, biometric change, or other circumstances.
Can Singapore become a password-free nation?
With the existing domestic infrastructure, implementing passwordless systems would be complex. However, with the synchronous connectivity and rapid digital development, implementing solutions to become a passwordless nation can certainly become a reality in the future in Singapore.
The only question now is whether the public is ready for such changes? While some forms of passwordless authentication are already widely deployed, it may take some time before this new approach is widely accepted.