How many times have you stared at your computer screen, fingers poised over the keyboard, eyebrows furrowed in consternation as you try to remember what over-complicated string of characters you used last month when you were asked to change your password for the umpteenth time this year? You regret not writing it down immediately because you were so confident you’d remember every special character and capital letter you typed in, but now you can’t even remember the word you chose. As your mind draws a blank, you hover the cursor over the “Forgot Password?” button, sigh, and click. Passwords were once the safest way to secure your information on the Internet, but they’re slowly making way for other — often simpler — methods that authenticate that a user is who they claim to be. Passwordless authentication is slowing taking over the function that passwords once held, and these methods are safer in that they are not easily hacked or predicted.
Why passwords are being left behind
Passwords are vulnerable to data breaches, especially when careless companies store them in publicly accessible, unsecured databases. Phishing attacks continue to affect users who are unaware of the malicious nature of phishing links. Passwords also need to be maintained by IT teams at organizations, making them a burden to deal with.
However, the most compelling argument against the use of passwords with ever-increasing complexity is the sheer number of users who just can’t recall their passwords. On average, every user on the Internet has around 90 accounts on different websites. Given that this is the average, imagine the number of users with hundreds of different accounts of different websites, each with its own password. It’s no wonder then that reports claim that a third of all online transactions are abandoned because online shoppers can’t remember their passwords. The implications of these revenue losses for online retailers are massive. The most important takeaway, however, is that users need more secure and simplified authentication systems that don’t leave them locked out of important services at inconvenient times.
How passwordless authentication has changed the game
You may have already noticed that passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets. Many mobile devices today use biometric authentication methods to identify users. Fingerprint and face scans are used to grant users access to their devices, with Apple phones notably using face scanners to authenticate their users. Many apps can now be unlocked just by pressing your finger to a fingerprint scanner on your phone, allowing you to keep your app data safe from prying eyes. Voice recognition software is also being used to add a layer of security to apps and devices.
Many apps, services, and websites no longer require a password to access them as long as you can authenticate your identity using your email address or Facebook account, which have already authenticated your identity. Email-based authentication is fairly simple, as you merely need to click on a link to generate a live token to access a website, or you need to enter a one-time code sent to your email to verify that you are indeed who you claim to be.
SMS-based authentication is the primary mode of authentication for most apps on mobile phones. Upon entering your phone number, a one-time code is generated and sent to the number. Sometimes, the code is verified automatically, and at other times, you are required to manually type it in. Either way, this is definitely an easier way to access an app’s services than to sign up for its services using another password. However, SMS authentication isn’t as safe as other forms of passwordless authentication, having been targeted by cyberattackers in the past.
Multifactor authentication is a more secure method of authentication that doesn’t use passwords and is often used by websites and apps that require a high degree of security. This method involves at least three layers of authentication, which could include fingerprint scans, security questions, voice recognition, PIN codes, face scans, or even contact information. The additional layers make it harder for bad actors on the Internet to access more sensitive information, such as your bank account details.
Implications for passwordless authentication
A company’s decision to transition to passwordless authentication is a beneficial decision not just in terms of customer acquisition for the company but also in terms of increased security for end-users and customers. Having to create, remember, and reset passwords is often a complex and lengthy process, and this can lead users to abandon their attempts to access services, or it can lead companies to lose out on a huge potential customer base. On the business side, the company can save tons of investment in backend support and maintenance of password renewal and recovery systems as well as issues with securing databases and access and ensuring that passwords are at minimum risk of being accessed or stolen by bad actors. They can instead divert those efforts to implementing a smoother authentication process that improves the end-users’ experience.
One of the major impacts of passwordless authentication is not that it removes the pressure from users to remember new passwords, but it protects them from the security threat of reusing passwords across multiple sites. A data breach on one site could potentially compromise the security of the user’s information on multiple other sites if the user has reused the same password elsewhere. While this practice is generally warned against, it is estimated that nearly 60 percent of all users use the same password almost ubiquitously. Hackers have been known to exploit these vulnerabilities in the past, and passwordless authentication would help prevent a cascade of violations by ensuring that one slip up doesn’t lead to casualties across websites.
Security risks associated with passwordless authentication
Passwordless authentication is not without its own security risks, however, and there are multiple ways by which even the most seemingly secure methods of authentication can be compromised. Fingerprints can be reproduced on prosthetic fingers or gloves, faces can be digitally reconstructed, SMS-based and email-based authentication have been compromised in the past, and multifactor authentication methods have been hijacked by thorough hackers. It is up to companies to ensure that they keep the end-users’ security among their highest priorities by researching ways to counter potential threats to the security of users’ information.
One of the more interesting ways that companies are attempting to authenticate users involves not only logging their fingerprints but also logging data such as the amount of pressure you use when typing, the way you hold your phone, your swiping patterns, and which hand you dominantly use. All these factors can be used to verify if the person using your device is indeed you and prevent malicious actors from attempting to access your personal information.
While companies can do their best to secure your data with their best practices, at the end of the day, users are the ones who are responsible for how they use and store their data. Passwords are, more often than not, breached through human error by someone clicking on a link they shouldn’t, downloading software that they aren’t completely sure of, or engaging in poor password maintenance practices. Passwordless authentication is a boon in light of the overwhelming information that human beings cannot be trusted to look after their own security, as it reduces the degree to which human stupidity can interfere with stellar security measures. We’ll just have to wait to see if we manage to ruin that as well.
Featured image: Pixabay
“Multifactor authentication is a more secure method of authentication that doesn’t use passwords” is incorrect, as MFA may still use passwords. The general tenet of 3-factor authentication is “something you have, something you are, something you know”. An example of this would be (your cell phone, your fingerprint, and your password). MFA doesn’t require the absence of a password, but it makes a compelling case for it not being the only component.
Biometrics (iris scan, face scan, fingerprint) have one big disadvantage — they can never be changed. Once someone has one of these, that factor is useless. You can buy a new phone, change your phone number, get a different e-mail address or provider, but you can’t change your fingerprint.
You make no mention of Password Managers, which is doing your readers a big dis-service. How much better to remember one very strong password that secures everything, because none of those websites will have your One Very Strong Password, but many unique and much stronger randomly-generated passwords?
Lastly, have a look at SQRL (GRC’s Secure Quick Reliable Login
https://www.grc.com/sqrl/sqrl.htm). This is a different way at looking at passwordless authentication. It’s somewhat similar to what you experience when you use Facebook or Google to log in, but as those sites leverage how much they know about you to securely log in, SQRL leverages a one-time anonymous relationship to securely log you in. Websites employing SQRL can then choose to collect additional information as needed (for example, CC info to make a purchase, or an e-mail address to send you product offers) but zero information is required to initiate the authentication, only a guaranteed-unique identifier. All of the relevant details are at https://www.grc.com/sqrl/sqrl.htm