Since the invention of the first operating system, computers and other types of software protection through authentication methods have been the norm. When wishing to guarantee authorised access, the basic method used is the digital equivalent of a key: the password. This written input ascertains who accesses a particular account and has been vital to software security for over 40 years. 

However, as technology advances, new authentication methods appear in the form of passkeys and cryptographic authenticators. These new processes highlight why traditional passwords are flawed and why it might be time to explore other options that could positively affect digital transformation in Southeast Asia.

The issue with passwords

There have always been several problems when it comes to using passwords. First, they are susceptible to a hacking method known as a brute force attack. This strategy consists of trying all the possible combinations of usernames and passwords until a positive hit pops up. Hackers can automate this process using scripts that try thousands of combinations simultaneously. 

Secondly, poor password practices can end up compromising many accounts. Using personal information, simple sequences such as “1234567890”, “qwerty”, or other basic details make it easier for hackers to access accounts. Password reuse is also a big issue, as it generates what is known as a domino effect.

In the words of Ives, Walsch and Schneider, writing for the Association for Computer Machinery: “Users who reuse passwords often fail to realise their most well-defended account is no more secure than the most poorly defended account for which they use that same password.” 

Finally, social engineering and phishing attacks are other strategies that hackers may use to obtain a password. By making the user believe that they are a legitimate service, hackers can get the login information willingly from the unassuming victim.

Passwordless and multi-factor authentication 

Unlike a standard password login based on what a user knows, passwordless authentication functions by using the idea that the authentication is performed via something that the user “has” or “is”. 

Examples of what the user might have could be a token, smart card, or a link sent to a mobile device. Authentication methods based on what the user is falls into the biometric category. Whether it uses facial recognition, a fingerprint, voice, or even a retinal scan, the software is accessed using a unique characteristic belonging to the user. 

Passwordless authentication does not rely on what a user knows but on what a user might have or be, so multi-factor authentication or MFA uses not just a knowledge-based method but more than one. A website could use the standard password but heighten its security level by asking users to click on a link sent to their mobile device. This extra step combines knowledge and possession-based security via the password that the user knows and the link sent to the device that the user has

There are several benefits when migrating towards a passwordless authentication system or an MFA. The first is a more robust level of security, bringing a more negligible risk of having a data breach. It helps eliminate the threat of a brute force attack, poor practices and password reuse. 

Secondly, the overall user experience is smoother, as the user will no longer have to remember various passwords for every website they visit. Companies will also save costs by no longer needing password-management systems to deal with lockouts, user support, and account re-settings.

Passwordless authentication in Southeast Asia

The ASEAN region could benefit from heightened security, as the smartphone user penetration rate is among the world’s highest. While access to the internet via smartphones opens the door for increased eCommerce and adoption of digital services, it is vital to maintain user accounts secure. 

The region has been the victim of a series of recent breaches-related incidents. One of the biggest was an alleged data leak of over 13 million Malaysians involving Maybank, the satellite television company Astro, and the Malaysian Election Commission in December 2022. Another case was the SIM card hack in Indonesia in September 2022. A hacker named Bjorka listed 1.3 billion profiles of Indonesian SIM cards for sale. The hacker showed the flaws in the country’s cybersecurity infrastructure and shared private communications between the president and members of the Indonesian intelligence agency.

Safe password strategies should be a top concern for businesses. Instead of focusing exclusively on what users know, security should also involve a passwordless factor that ascertains authentication through what a user might have or a biometric method. This multi-factor authentication prevents breaches and puts the use of passwords aside. 

Digital transformation in Southeast Asia could be visibly improved with an uptick in passwordless initiatives, increasing online commerce and preventing data breaches that have been evident in previous years. A passwordless Southeast Asia is a safer Southeast Asia.