Metaverse is all the buzz. Users are betting on a virtual reality world where they can interact and experience things as they would in the real world. While the metaverse promises to replicate real-life elements, one aspect that cannot be ignored is the privacy and security challenges that the digital space brings with it.
As the online and offline worlds collide, many are excited at the metaverse’s tremendous technological potential in terms of changing traditional finance, experiential e-commerce and gaming, but some are worried about the potential costs users will have to pay for the privilege.
In today’s column, we discuss the future of passwords in the metaverse. Before we delve into the topic, here’s a quick round-up of the metaverse. It is a concept coined by sci-fi writer Neal Stephenson in his 1992 novel Snow Crash. In short, the metaverse is a blend of offline and online experiences in an interactive digital space, where social interactions and transactions can occur simultaneously.
Cybercrime and metaverse
Like social media, the metaverse is prone to cyber-attacks including phishing, ransomware attacks, etc., reveals a new report by Ermes, an Italian company that exploits artificial intelligence applied to cybersecurity. The company in its report identified the main forms of cybercrime risk in the metaverse. The cybersecurity company identifies the main forms of hacker attacks in the metaverse:
#Information theft: Users could unknowingly share their sensitive data directly with a hacker, putting their real-life assets at risk.
#Identity theft: Theft of the user’s avatar that would lead to the hacker being recognised as the true owner, able to perform the relevant malicious actions.
#Cryptocurrency theft: Users could be robbed of passwords to their crypto and NFT wallets, and keys to access their avatars in the metaverse.
The big question
“With the advent of social media and the explosion of various platforms, including now Metaverse, the world is also dealing with: how do we really know who’s sitting on the other side of a metaverse? And is it the person who he or she claims to be? Or is it even a real person?” asked Siddharth Gandhi, Chief Operating Officer, 1Kosmos, a cyber security firm dealing in password-less authentication.
We’ve been hearing Elon Musk come out to take over Twitter, and one of his key questions is, how many bots are on the other side? Musk has talked about identity-based verification not once but several times. “…that’s where the whole genesis of even the password-less requirements starts off, that you’re asking the person who’s logging in to social media, or Metaverse to prove who they are before they can log in and that’s where password-less authentication comes into play,” said Gandhi.
With major tech companies now believing in a passwordless future, this could all be set to change. For example, Apple, Google, and Samsung have introduced biometrics for users, and this will eventually spread out to other services on those devices.
Password-based authentication will be flawed and cumbersome methods of security in the metaverse as opposed to the new ones like biometrics. Big tech companies have realized that there needs to be a push towards a future without passwords. Otherwise, they are just making life easy for cybercriminals, whose technology is also improving.
In the metaverse, users would simply use biometrics to log on at the first point of entry. From there, they would be able to move around with no problems. “ At any given point in time if you have to enter a secure perimeter, whether it’s in the virtual world or the physical you need to enter your username and password or an additional multi-factor authentication which is an OTP.” But, this is not how you will enter into the metaverse. “… what we want to try and bring in is that each one of us has a unique individual, biometric—a fingerprint, face ID, or Live ID where we are asking the person to take a selfie and show real features of the person to be able to log in. So it’s pretty simple, yet extremely powerful,” Gandhi adds.
This could be possible via something called BlockID.
For instance, when a data breach occurs, one of the key things that a hacker is looking for is taking the credentials of the user and once they have it, they access the central database, they take away data that is there, whether it’s their IP address or sensitive information about the users. “The beauty of BlockID is that it is based on blockchain. So there is no centralised database where the user is in control of his or her identity. All the transactions that are there in terms of authentication against old on the blockchain are in encrypted form. So neither does the enterprise and neither do we as a service provider, can access that information. Right. So it’s completely secure on the distributed ledger,” he noted.
Password-based authentication is so deeply-rooted in the internet that it almost seems impossible to imagine a world without passwords. However, with the emergence of metaverse and blockchain technology, this could be a perfect time to eradicate passwords once and all for all, thereby making the virtual space safer for everyone.