Passwords – we struggle to remember them but we can’t live without them. Or can we? A growing movement towards passwordless authentication – in which biometrics such as fingerprints or pin numbers stored on a device – is gaining traction.
Yet passwords remain a ubiquitous part of life, from consumers accessing online services to employees logging into IT systems and email.
Passwords in their analogue form have been used since antiquity, with Roman soldiers barring entry to those without the secret key phrase. Fast forward to 1961 and MIT professor Fernando Corbató used a password on an electronic computer for the first time in recorded history.
As the internet morphed over the following half-century into the juggernaut it is today, those strings of text became the primary entry method.
But there’s a problem. Passwords are designed to keep us secure, yet they are often a weakness to be exploited by cyberattackers.
Much of the problem stems from the way we use them. We pick passwords that are weak, which makes them possible to guess. We reuse the same password across multiple services, which makes accounts more vulnerable. We share passwords, write them on sticky notes, and leave them unchanged for years.
“We wouldn’t be in this mess if people didn’t use superhero and pet names as their passwords,” says Jake Moore, cybersecurity specialist at internet security company ESET.
That’s before considering technologies designed to steal our passwords such as keystroke loggers, or spoofed emails harvesting credentials from fake login pages. Further still, the databases on which organisations store user passwords are often susceptible to hacking, which in turn leads to brute force attacks in which software matches email addresses with previously stolen passwords.
Taken together, it isn’t hard to see why Verizon’s annual Data Breach Investigations Report has consistently found passwords to be the root cause of more than 80% of data breaches.
These breaches can have devastating real-world impact, as demonstrated by the SolarWinds attacks and the Colonial Pipeline hack – both of which involved password compromise – causing billions of dollars in damage.
And aside from the security pitfalls, remembering passwords can be plain annoying.
“It’s not just that [passwords] are a pain in the ass, because they are,” says Thomas Jermoluk, CEO and co-founder of Beyond Identity, an identity access management startup. “You can’t remember them, websites are constantly asking you to change them, so you write them down or reuse them for other accounts – a real pain.”
Solving the passwordless authentication problem
The password problem has been discussed for some time. In 2004, speaking at the RSA security conference, Microsoft founder Bill Gates said: “There is no doubt that over time, people are going to rely less and less on passwords”. He added that passwords “just don’t meet the challenge for anything you really want to secure”.
Many have called time on the password, yet it remains a central component of business and consumer security. Why?
The internet is a mishmash of standards and protocols, which in turn are built on top of another mishmash that was mashed together decades ago. Creating a new standard that everyone agrees to use is no easy feat.
However, it is a task that the Fast Identity Online (FIDO) Alliance is tackling head-on by developing free and open authentication standards to replace pesky passwords.
These specifications, known as WebAuthn, are for servers run by other companies, which allows interoperability among vendors.
“There’s no alternative standard to this. You can run your own, but to do it at scale you need to have a standard to be a part of the DNA of the web,” Andrew Shikiar, executive director at the FIDO Alliance, tells Verdict.
Think Bluetooth connectivity standards – but for authentication.
The non-profit’s specifications are based on public key cryptography. A string of numbers and letters known as a private key remains on a person’s device and through complex mathematics “speaks” to a public key held by the service being logged into, proving the user is who they say they are.
The private key can only be unlocked after the user unlocks the device using biometrics, such as a fingerprint or face scan, or pin code such as one used to unlock a smartphone. A separate authenticator device can also be used.
It is this process – known as device-based authentication – that replaces entering a password into a website or app. And because the private key and biometric data never leave the device, there is no chance for server-side interception.
A way to do advanced crypto without knowing advanced crypto
FIDO is providing off-the-shelf cryptography for device-based authentication that developers can build into their login processes.
“Web developers generally treat authentication as an afterthought,” says Shikiar. “I don’t mean that in a disparaging way, but advanced cryptographic authentication is very difficult. What FIDO does is allow them to do advanced crypto without having to know advanced crypto. And that’s a really powerful thing.”
In 2019 the World Wide Web Consortium (W3C), the web’s main standards organisation, published FIDO’s WebAuthn Level 1 standard in a landmark moment for passworldess authentication. It is now supported in all the key browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari.
So why are passwords still so prevalent? Shikiar says it is a two-part challenge – the technical aspect and usability.
The usability challenge is one that might seem easier to hurdle than the technical side. But old habits die hard and passwords are ingrained into the sign in processes we use each day.
“You intuitively look for that dialogue box, the username and password box,” says Shikiar. “There’s a lot of learned behaviour that needs to be modified.”
To help solve this problem, FIDO recently released UX guidelines to establish a best practice and make it is seamless as possible for someone to login without a password.
Another challenge comes with using multiple devices. Because the private key is tied to a single device, not an account, it can cause problems when a person loses whatever they are using to authenticate logins, such as their smartphone. It is one of the core problems that FIDO is trying to solve.
“People can take different approaches,” explains Shikiar. “In general, we recommend having two authenticators. That’s most effective in enterprises where you’re talking about security keys, you often have two keys. When you talk about consumers at scale, that starts to break down.”
Shikiar wants to see a move towards what he describes as “possession-based account onboarding”.
This involves an account onboarding process that isn’t knowledge-based and could include a government-issued ID that is then bound to a person’s device. If the device is lost, a person uses the camera to scan the ID on their replacement phone number and picks up where they left off.
“Not only is it a convenience issue, it’s also a security issue as it’s during the account recovery process where someone can use social engineering to take over your account,” says Shikiar.
Shikiar says FIDO is making “good progress” on this “very difficult challenge”. It’s also a problem that may also require help outside of FIDO from a few familiar players – and others that might not be household names.
Getting by with a little help from Big Tech
Helping to lead the charge away from passwords are the Big Tech companies. Microsoft, Apple and Google have all embraced FIDO’s standards into their platforms and are all paying members of the FIDO Alliance.
In return for their cash, companies can help shape the specifications, be associated with the organisation and be among the first to learn of new developments. Or as Shikiar puts it: “It’s influence and access and visibility.”
The tech giants bring with them not only technical expertise but huge userbases of businesses and consumers. Shikiar believes it is this element that gives Big Tech a crucial role in making passwordless authentication solutions “grow and scale”.
He adds: “As companies such as Apple start to consumerise it, it’ll become second nature if not first nature.”
In September 2021, Microsoft made it possible to completely remove the password for a Microsoft account. Instead, users can login via the Microsoft Authenticator app, Windows Hello, a security key or a verification code sent to a phone or email.
It builds on Microsoft’s announcement in March that made passwordless authentication sign ins generally available for enterprise users.
Apple too has taken steps towards a passwordless future. In June, it announced Passkeys in iCloud Keychain, which lets users create accounts that don’t require a text password. The technology is based on WebAuthn and replaces a text password with Face ID, Touch ID, or a security key that is synced across Apple devices using iCloud.
Away from the tech behemoths, there is a fast-growing identity access management industry providing solutions to ditch the password.
Shikiar believes startups are “absolutely critical” to making passwordless authentication the norm.
Among them are Duo Security, LastPass, Okta and Yubico. In 2020 the market was valued at $12.3bn and is forecast to almost double by 2025.
Jermoluk’s Beyond Identity is new on the block but contains familiar faces. He founded the company in 2020 with Jim Clark, co-founder of Netscape whose web browser was dominant during the 1990s.
The company is part of the FIDO Alliance and has three ways to use its solution: downloading an authenticator, embedding the software into another app, or support directly in a browser extension.
“Naturally, a ton of money is flowing into startups to solve the problem,” says Jermoluk. “Do I think they’ll all survive? No, absolutely not. There’s going to be the quick and the dead, so to speak.”
Despite the interest in passwordless authentication, some security professionals believe that using multifactor authentication and a password manager is enough.
“Password managers offer so much more than just an encrypted vault,” says ESET’s Moore. “They offer the ability to create a complex password without having to even think.”
However, Jermoluk believes these are just “band-aids” because the password is “still there”.
When – if ever – will passwords die?
To some, the days of the password are numbered. But for others, we are destined to be stuck with passwords forever.
Jermoluk is confident that passwords are dying out and believes recent high-profile cyberattacks have “lit the fire” under application developers to “move on”.
He adds: “I guarantee you, within three years, you will not use passwords on any device.”
Moore is less certain: “Passwords form the underlying entry of account access and other ways continue to be tried, tested but ultimately fail.”
He adds: “The balance between security and convenience often still favours ease of use for many people so any extra push to eliminate passwords for those requiring such support will always be gratefully received.
While it’s unclear if or when passwords while become obsolete, one thing is certain – businesses are already embracing device-based authentication.
Among them are Facebook, Twitter, Google and eBay.
Some 4 billion devices currently support FIDO authentication and in June this year the industry association introduced its FIDO2 standards aimed at simplifying deployments.
For Shikiar, the move away from passwords will take place in two steps. First, consumers will grow accustomed to not using passwords while still having the option to use them. He believes that most consumer websites will offer a passwordless login option by 2023.
The next phase will see passwords completely removed from the equation, but there is no firm date for this to happen.
Shikiar remains certain, though, that we’ll start seeing a lot less of passwords soon: “Passwords will be much less of a nuisance in the next few years.”