It’s nearly two decades since Bill Gates predicted the passing of the traditional username and password, warning that this archaic security combo simply wasn’t up to the task of keeping information safe and secure in the long term.Â
Taking an educated guess at what the future might hold, he told a security conference: “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
Fast forward to 2023 and people are still relying on usernames and passwords as the lock and key to personal and sensitive information. What’s more, they’re still failing to make their passwords secure enough.
Research published by NordPass in 2022 shone a light on just how difficult it seems to be to ditch traditional usernames and passwords. For example, it found that “password”, “123456” and “guest” were all in the top ten of the most common passwords in 2022, all of which were cracked in a split second.Â
According to Microsoft, hackers launch an average of 50 million password attacks every day — or about 580 per second. And according to Verizon, 60% of data breaches are attributed to compromised credentials. What’s more, password resets are a top reason workers call IT help desks adding to IT estate maintenance costs.
To paraphrase an infamous quote, the reports of the death of the username and password approach to security appear to have been greatly exaggerated.
Passwordless authentication – what is it?
But, if we are ever to get serious about cyber security and the protection of data, we have to find another way.
That’s one of the main reasons why passwordless authentication is gaining so much popularity as a more secure and convenient alternative to traditional passwords.
And it seems the industry agrees. Tech giants Apple, Google, and Microsoft announced last May that they would support FIDO2 — authentication specifications based on public key cryptography and international standards — to enable passwordless authentication across devices.
It’s a move that’s seen by many as a major step forward in providing better cyber security protection against phishing attacks and stolen passwords. And it’s easy to see why.Â
For the most part, passwordless authentication works by allowing people to rely on other forms of authentication — such as biometric data like fingerprint or facial recognition — instead of a username and password. But other solutions are available as well.
For instance, one-time passwords (OTP) are randomly generated codes sent to a user’s registered device, such as their smartphone or email address. Public Key Infrastructure (PKI) authentication uses digital certificates to verify a user’s identity. Other technologies, such as Security Keys, use a physical USB or Bluetooth device as a unique identifier.
And most people are familiar with multi-factor authentication (MFA), which is increasingly being used to access everything from financial services to on-demand subscription services e.g., sending you an text message with a one-time code.
Challenges of going passwordless
Of course, passwordless authentication is not without its challenges. For one, it requires widespread acceptance and a significant shift in mindset from those who may not be quite ready to ditch old behaviours. While vendors are more likely to drive passwordless adoption, consumers are particularly guilty of clinging onto old habits unless they’re forced to make the change.
It also requires a fair chunk of investment in infrastructure. Part of the foot-dragging to adopt passwordless security solutions is simply down to the fact that many organisations still rely on older systems and devices that are not compatible with passwordless technology.
But other issues exist as well. For instance, an organisation’s preferred passwordless solution may not be interoperable with all systems, platforms, or devices across its IT ecosystem. The reality is it’s incredibly hard to remove the plumbing of an old system.
Of course, that’s not a problem for those firms that have grown up with cloud computing. They tend to be much more adept at adopting passwordless authentication because they are not held back by legacy systems.
Cloud-based systems are the way forward
The same is true for those established organisations that have already embarked on their digital transformation programmes and migrated to the cloud. For them, switching to passwordless authentication is a far easier process than for those that have yet to swap out legacy infrastructure.
For the companies that are already underway with overhauling their systems, the cloud plays a pivotal role in passwordless authentication. Cloud platforms provide a secure, reliable, and centralised location for storing and managing key information, such as user credentials.
What’s more, it’s much easier to upgrade and adopt emerging security technology if it’s based in the cloud, as there’s no need to rip and replace legacy infrastructure.
Done well, not only does it ensure that data remains secure and protected from unauthorised access, but it can also create a more positive user experience, especially among those nervous about adopting biometrics or reluctant to embrace change.
Despite this, there are still plenty of organisations that have yet to make that investment. Which may help to explain why they continue to use password manager software programmes.
Having said that, even this technology is not without its pitfalls. In 2022, the popular LastPass software manager tool fell victim to a security breach, potentially jeopardising the security of personal data. If nothing else, incidents such as this are a reminder that everyone needs to evaluate their security exposure on a regular basis and maintain cyber hygiene.
Will the future be passwordless?
For many, there is one outstanding question that still needs to be answered. When will the obituary for passwords finally be written? It’s a tricky one to answer. While significant strides have been made with regard to the consumerisation of IT, the unfortunate reality is that there are still a multitude of technologies that are using old authentication systems and haven’t adopted single sign-on or the use of biometrics.
In terms of security, convenience, and the overall user experience, usernames and passwords don’t come close to passwordless alternatives. And with the rise of mobile devices and cloud computing, one-time codes sent via email or text message can provide an extra layer of security without requiring users to memorise — or scribble down — yet another password. Only time will tell if passwords will still be around in another 20 years, but the overall attack surface of a business is even larger. A multi-layered approach to endpoint protection through a single platform enables fast reaction times to any threat when the inevitable occurs.
Chris Vaughan is AVP of Technical Account Management, EMEA at Tanium. Passionate about cyber security and IT operations, Chris leads a team of experts that advises customers and partners on how to secure and manage their business-critical IT assets. His vast knowledge of the sector includes everything from deeply technical topics to the latest trending cyber security stories making the headlines.