Market View: The future of passwords

This article continues our market view series, where we look into the macro and micro-environments, the politics, economics, trends, and technological advances that create the opportunities and challenges that we need to navigate in our market.

Passwords are an ancient concept – Polybius (200 – 188 BC) wrote of their use in the Roman military, and Fernando Corbató introduced them to computers in 1960 to protect files on shared computers at MIT.

Passwords are inherently flawed. People use simple passwords that can be guessed (or easily cracked by a computer), and people often re-use passwords that, once cracked or exposed in a data breach, provide bad actors with the keys to the kingdom. Additionally, the threat of phishing or password exposure through social engineering is ever-present.

At Atmail’s team conference in 2020, I stated that traditional passwords would die within five years. This statement felt like a bold call at the time, and colleagues (quite rightly) challenged me on it – too many people and systems appeared entrenched in the traditional authentication model. But after recent movements in the market, this time frame now feels optimistically “on track”.

Google has been working on passwordless tech since 2008, and Microsoft started supporting passwordless logins last year, so what’s changed?

The FIDO Alliance has been developing the standards for a password-less future for a decade. In March, they announced a methodology to store cryptographic keys and sync them across multiple devices. In May, Apple, Microsoft, and Google stated their support for the FIDO standards, and in June, Apple announced at WWDC that they intend to launch PassKeys in iOS16 and macOS Ventura.

Apple’s PassKeys will leverage the device’s biometric capabilities to replace passwords. First, the device will scan your face or fingerprint to verify that you are you; then, it will use public-key cryptography to generate a key-pair. The private key will be stored on your device (and will sync across your devices using iCloud Keychain), and the public key will be stored on a web server. Third-party websites and applications can match the public key against the private key on your device to grant access.

PassKeys will vastly improve the user experience. A user will simply authenticate using Face ID or Touch ID and be logged in. But it also significantly changes the threat landscape. PassKeys should eliminate password cracking and simple, easy-to-guess passwords. Without a stored password to steal, PassKeys should also mitigate some of the threats associated with data breaches. Finally, PassKeys should also mitigate standard phishing techniques as we know them today (but I expect this to be short-lived – with phishing to evolve accordingly).

PassKeys are one implementation of the FIDO Alliance standard. We should expect sufficient interoperability across ecosystems if Google and Microsoft continue to adopt and adhere to the standard. At this point, the traditional password will rapidly become a thing of the past.

Atmail are proactively planning and designing for a passwordless future.

 


 

General Interest Tech News

  • In an important win for personal privacy, users can now ask Google to remove personally identifying information, such as phone number, email, or address from search results. (Read more)
  • Apple are believed to be developing their own proprietary 5G modems, which may allow Apple to pair them with the A-series chip in iPhones in a way not possible with the current Qualcomm chip – resulting in a faster, more efficient, and more capable device. (Read more)
  • Broadcom made an unsolicited offer to acquire VMware for US$61B. Brian Madden leverages his insights to rip into the deal and what this means for the future of VMWare. (Read more)
  • In support of Australia’s continued decarbonisation, Mike Cannon-Brookes has successfully blocked AGL’s demerger, resulting in a renewed board of directors. (Read more)
  • Lookout, Inc. acquires SaferPass to add password management functionality to its suite of security solutions. (Read more)
  • Google benches an engineer who claims its A.I. is sentient. (Read more)
  • A newly discovered attack vector in M1 chips allows the CPU’s Pointer Authentication Codes (PAC) (designed to defend against malicious code injection) to be bypassed. The flaw cannot be patched. (Read more)
  • The United States moves closer to a unified, national privacy law. (Read more)
  • Apple plan to release Private Access Tokens (PAT) that can prove when an HTTP request is coming from a human instead of a bot. This will significantly improve the user experience over CAPTCHA, which requires the user to take action (and time) to complete. (Read more)
  • The success of StarLink in Ukraine has China assessing risk levels and possible countermeasures. (Read more)
  • Quaise Energy plans to use X-rays to melt rock and capture geothermal energy – with the goal of meeting global energy needs for millions of years. (Read more)

Industry News

  • French operator La Poste fell victim to a malicious ransomware attack in early July, with more than 500,000 customer email addresses and sensitive personal information captured. (Read more)
  • AOL calls end of life for love.com emails and has partnered with ShuttleCloud to help migrate users to other platforms. (Read more)
  • Google backflip on closing G Suite Legacy accounts – opting to continue to offer a free Google Workspace tier for personal users. (Read more)
  • Further fuelling my belief that Apple is the #1 competitor to telco consumer business, it’s rumoured that Apple have engaged ShuttleCloud to provide simple options for migration to iCloud email from external providers like Gmail.
  • In recognition of their broader suite of products beyond mail, and aspirations for the future, ProtonMail have rebranded to Proton. (Read more)
  • While not “news”, it is promising to see more scrutiny of the role Google play in enabling spoofing with their insecure SMTP relay configuration. (Read more)
  • Apple will support “undo send” with email in iOS16. (Read more)
  • Google plans to change spam filter settings, to support the delivery of political campaign email to user inboxes. (Read more)
  • Vade Secure(s) €28M in funding from VC firms and the French government to drive product enhancements and international expansion to key markets, including North America and Europe. (Read more)
  • Cyren divests its legacy Secure Email Gateway business to Content Services Group GmbH for €10M in cash. (Read more)
  • Vivaldi browser launches v1 of its inbuilt email client. (Read more)
  • Apple will support BIMI in iOS16 and macOS Ventura. (Read more)
  • IDC predict a compound annual growth rate of 12.6% for spending on cloud infrastructure services to reach US$133.7B (or 68.6% of all compute and storage infrastructure spending) by 2026. (Read more)
  • Gmail’s redesigned interface is now rolling out to all users as the default. (Read more)
  • Microsoft suffered an outage for Teams and Outlook in June. Microsoft continues to investigate ongoing service degradation in mid-July for outlook.com and Exchange Online users. (Read more)

Synacor Zimbra

  • Human error contributed to an outage impacting millions of mailboxes – where an errant command resulted in both the active and failover firewalls for Zimbra Cloud to become inaccessible. (Read more)
  • Hacker News reported a new vulnerability for Zimbra collaboration suite where pre-authenticated remote code can be executed on a vulnerable instance giving the attacker complete access to the email server. (Read more)
  • Zimbra’s released a patch (8.8.15 patch 32 and 9.0.0 patch 25) that introduced a defect of enough significance that Zimbra removed the patch from general availability to prevent users installing the defect. In the process of removing the patch from general availability Zimbra broke everyone’s ability to either install the product or update to another patch.
    This coincided with the news of a new security vulnerability – resulting in customers being unable to apply patches to secure their installations. (Read more)

Synchronoss

  • Synchronoss announce support for Alibaba Cloud and Google Cloud. (Read more)
  • “Few companies have specialized in value destruction quite as spectacularly as Synchronoss” writes Iain Morris. (Read more)
  • U.S. Securities and Exchange Commission (SEC) have fined Synchronoss and Senior Employees $12.5M for account-related misconduct. (Read more)

Open-Xchange

  • OX partner with DotAsia to offer discounts to SMEs registering a .asia domain to access the OX Cloud. (Read more)
  • No other notable updates this reporting period.

Atmail

We set ourselves the goal of achieving a Recovery Time Objective (RTO) of zero for our cloud services. Email plays a critical role in our lives and it is important that we ensure a fast recovery and seamless failover to a live, synchronous copy of the data in the event of a failure. 

I am very pleased to report that our engineering team have achieved a RTO of zero. In the process, we transparently migrated more than one BILLION emails on our cloud services in Europe, Asia, and the USA to a new architecture with a stateless mailstore. By design, stateless storage means we are synchronously backing data up, rather than following the traditional back up at / restore to a “point in time” approach.

As always, please contact me if you would like to discuss any of the above in more detail.

Share This Post
By August 11, 2022