The password system we use today pre-dates the Internet.
Fernando Corbato is the American computer scientist whom many say created the computer password. He developed the Compatible Time-Sharing System (CTSS) in the 1960’s. His eureka moment was to create a way for people to share a computer while allowing users to protect their private files.
Corbato has been on a different crusade over the past years. He now freely admits that passwords had become problematic. The main problem, he says, is that his great creation was of a different time, pre-Internet. He did not design it for use with the web. Now we see how frequent data breaches have shaped the digital era, and the rise of privacy-awareness is driving every facet of our digital life. According to Corbato, it’s clear that things need to change, and he has been calling for the retirement of passwords.
“Unfortunately it’s become kind of a nightmare with the World Wide Web. I don’t think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”
Besides individual security risks from passwords, this method of authentication is expensive to manage in an organization too. Microsoft quote’s analyst firm Gartner’s figure that up to half of all help desk calls are for password resets.
Moving toward “passwordless” authentication
For the past few years, Microsoft, Google, Apple and others have been trying to design ‘passwordless’ authentication under the Fast Identity Online (FIDO) Alliance.
In a blog post last year, Microsoft claimed that 90% of its employees were using a passwordless authentication system. One such system is Windows Hello biometrics for accessing Azure Active Directory (Azure AD) networks. Another is through apps that support Microsoft Authenticator app and FIDO2-based security keys.
Over 150 million people are using Microsoft passwordless systems each month, according to Microsoft.
Microsoft is pushing forward in the area of passwordless authentication. It has recently announced new tools to manage FIDO2 security keys. These will help customers build ways for users to manage their own authentication methods, such as phone numbers and email addresses.