Could we live without passwords?

Geoff Schomburgk says many technology companies are trying to move towards a future without passwords, but is this a reality or is it still a long way off?

Can you imagine a future where we can be secure online without having to remember an unmanageable list of passwords? Many organisations in the technology sector are trying to move towards a future without passwords, but is this a reality or is it still a long way off?

The problem with passwords

For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorised access. However, there is still a huge problem associated with proper password hygiene.

With much of our personal and business lives now online, the average person has around 100 passwords according to recent research. It’s impossible for individuals to create unique and strong passwords for every single account, which is why many users end up adopting poor habits like re-using simple passwords across accounts, writing passwords on sticky notes, or saving passwords in online address books and unsecured files. In fact, the number one password of 2020 is still 123456.

Despite the best hygiene practices in the world, passwords still don’t cut it when it comes to security. When an account takeover occurs due to compromised credentials, every account that the compromised password was reused on is also vulnerable to a takeover. These passwords are also sold on the dark web where hackers can leverage them for future phishing attempts, account takeovers, and overall wreak havoc on unsuspecting victims.

The bottom line is that we are relying on decades-old technology to secure our most sensitive data when security threats have evolved past their protection. So, despite the poor security and usability concerns, why are we still using passwords? 

There is still a lot to like about passwords, so let’s not throw the baby out with the bathwater just yet. While passwords may offer poor security and usability, they are still widely used for a few key reasons due to their portability, compatibility and interoperability. Passwords allow users to access any site, on any device, from any location, and no matter what, it never changes the user experience. Until we can provide an alternative solution that does the same, we will never be able to effectively eliminate passwords.

Is Multi-Factor Authentication enough?

First, there were usernames and passwords, and then came multi-factor authentication (MFA), which requires a combination of multiple forms of authentication to prove that you are who you say you are. This can come in the form of something you know like a PIN or password, something you have like a physical security key or a smart card, or something you are like a fingerprint or retina scan.

It’s important to note that not all MFA is created equal, which can leave users frustrated with the hindered user experience. In fact, most of the common MFA solutions deployed over the past 20 years — like SMS, email, and mobile phones — were not originally designed with superior security in mind. Instead, they were designed to offer a relatively simple user experience by tapping into technologies that most people already had access to like email and mobile phones. 

Although any MFA is better than using none at all, most methods have their pitfalls. For example, SMS one-time codes are either hard or impossible to use if you’re in an environment that prohibits mobile devices or does not have any reception.

The way we should look at solving the password problem is through an open authentication standard, FIDO2 (Fast ID Online) and WebAuthn (Web Authentication), these standards allow for interoperability at scale. Passwordless authentication can only be solved at scale, with strong phishing-resistant security and through a seamless user experience when it is natively supported by all leading operating systems and browsers working across all modern devices.

How WebAuthn and FIDO2 prevent account takeovers

Stolen credentials and phishing attacks are the main causes of account takeovers and WebAuthn is able to successfully combat these types of attacks by relying on public-key cryptography with an elegant one-touch user experience.

WebAuthn was the first global standard for passwordless web authentication and is now supported by leading platforms and browsers. It is paving the way to a world of highly secure password-free authentication, all while being extremely easy to use.

With WebAuthn, users no longer need to rely on the weak security of passwords, nor the poor user experience. Yet, WebAuthn and FIDO2 deliver on all of the portability, interoperability, and backward compatibility that’s required to successfully eliminate passwords at scale. Going forward, users can expect services to offer WebAuthn strong authentication methods, including the option to use security keys or built-in platform authenticators, like biometric readers, to protect their online accounts. Microsoft Azure Active Directory was the latest major corporation to enable passwordless login for its millions of users.

The future

Now is the time for our systems to evolve past the well-built 1960s veneer and develop a set of credentials assigned to us, by us, for us, or for our use, that is still part of an access solution framework. Instead of having one PC or mainframe, we now have thousands of apps, systems, websites, programs, ERP systems and so on, all grappling to understand who we are and whether we should be allowed access.

While unique and complex passwords created by users, stored in protected and secure password manager vaults, are a step in the right direction to secure access to valuable online accounts, it’s clear that we must find our way beyond passwords.

The journey to a passwordless future is a transition and it won’t happen overnight, but all things considered, we have a promising future ahead where the only “password” required for all of your devices and online accounts lives on your keyring and not in your memory.