According to some security professionals, passwords will disappear as an authentication mechanism. Instead, we’re heading to a passwordless future. However, a group of security professionals don’t believe in passwords disappearing that quickly. What direction are we heading?
For many, the password is a familiar and easy way to log in. A strong password ensures that only you can access sensitive data, devices or services. People are used to entering login credentials, although there are tools to make a login process different. There are security experts who therefore expect that these tools will eventually lead to a passwordless future. They think this mainly because the password is not always as safe and user-friendly as it should be.
Indeed, surveys regularly show that people use simple passwords. Popular passwords are ‘123456’, ‘password’, and the user’s date of birth. People with bad intentions can guess those passwords. Therefore, it is recommended to use complex passwords, where you use a random combination of numbers, letters and punctuation. From a security point of view, it is preferable to have a unique complex password for each service you use. Reusing login credentials, i.e. using the same credentials for all the services and devices you use, puts you at risk of being hacked in all sorts of places. Once a hacker finds out a reused password, he can use it to log into all kinds of services, with all its consequences.
Enough reasons to think about a true passwordless future
Also, not everyone considers the way we currently log in to be user-friendly. For example, if you forget login credentials for an important business application, you’ll have to request a reset at the IT administrator. The administrator is then tasked with your reset request, meaning both you and your colleague will spend time on the error. There are even more unconventional aspects to passwords: you often enter logins several times a day to unlock a particular system.
Enough reasons to think about a true passwordless future. But will this eventually happen or are passwords here to stay?
What does passwordless mean?
There are already authentication methods to replace the password. Important here is that a user does not fill in a password. Multi-Factor Authentication, where an additional verification step is added to the password, is not a passwordless authentication method. Using only one factor, such as biometric data or SMS authentication, does count as passwordless.
Several major IT vendors and startups have already found ways to replace the password, such as the well-known Windows Hello. This involves taking a facial scan to log in to your Windows device. According to Microsoft, 150 million people now use this passwordless functionality every month. And at the tech giant itself, almost every employee logs in this way.
Several major IT vendors and startups have already found ways to replace the password
Identity and access management as a service (IDaaS) vendor Okta also works on ways to be less dependent on passwords. The Okta platform grants users access to the business applications they need by logging in just once. Okta checks several authentication factors to make sure the user is really who he says he is. He or she is then given access to CRM and ERP applications, for example, something that would normally require several separate login processes. In fact, with Okta, you can often choose a fingerprint or face scan as a method of accessing all apps.
In our opinion, Windows Hello and Okta are good examples of alternatives to the password. They are actually changing processes within enterprises. But does it also mean the end of the password is nearby?
How realistic is passwordless?
Not everyone is convinced that the password will play a smaller role in the coming years. For example, we spoke with KnowBe4 about passwordless. The company that offers security training acknowledges that passwords are vulnerable. “A world with an alternative seems beautiful,” says Security Awareness Advocate Jelle Wieringa of KnowBe4. But at the same time, he argues that there have been technologies promising to replace passwords for a long time. “All those solutions have to be implemented somewhere,” says Wieringa. As a result, you often see that passwords continue to be supported. Sometimes also because alternatives do not always work. SMS authentication, for example, doesn’t work very well when you’re in a remote part of the world with little network coverage. It can sometimes take minutes until you get the text message, after which the validity has already expired.
KnowBe4 estimates that passwords are currently supported by 99 per cent of services; alternatives aren’t supported in such larges numbers. If you know this, is it realistic to think that we will be using other authentication methods en masse in a few years? After all, passwords are easy and used by everyone. For alternatives, this is not yet the case. Of course, they are widely used, but the password is still dominant. And this while the discussion about passwordless was already alive five and ten years ago.
Enough alternatives, mix seems realistic for the time being
Not every alternative necessarily means the end of the password. A password manager, for example, is a useful tool that can take over authentication from you. In this, you can also save a complex password for each service. It leads to a more secure alternative, and some extent, you also replace passwords, although such managers are dependent on passwords. Of course, there are also risks associated with this alternative, like a password manager being hacked or losing/forgetting the password of the manager. However, a password manager doesn’t really end passwords.
Passwordless is here, but the end of to password isn’t nearby
The authentication methods have in common that they get people excited about using an alternative to the password. As a result, more and more people embrace an authentication method other than the familiar “username and password”. Simultaneously, people who are already deploying alternatives still have passwords and even need to deploy them from time to time. You can deploy so many alternatives, but you will enter traditional login credentials at a particular service once in a while.
Passwordless is, therefore, a tool that some services offer, but the definitive end of the password does not seem to be in sight for the time being.