The password has long been a form of authentication for anyone using a system. Access control is mostly based on user input — a username to identify the user and then something secret that only the user is meant to know. The combination of the two then grants the user access and rights to whatever they want to access. The problem with usernames and passwords is that we have to remember them, make them, maintain them, change them, store them, and, sometimes, if we are irresponsible about password use, we exchange them with others. Many would agree that passwords are an inconvenience; however, they are needed.
The average number of passwords that an ordinary user has is likely more than 100. We have passwords for our computers, our social media or email systems, our numerous other devices, banking, and virtually anything we need to access securely. Passwords are everywhere and used by everyone.
If each person has approximately 100 passwords, this means that there are potentially 100 exposure points that a user may have if their passwords were to become compromised. Additionally, the passwords are generally not under the control of the user. Typically, users set passwords on someone else’s system, such as a service provider. The service provider has the responsibility not to expose the user’s password. However, history demonstrates that inevitably the service provider incurs a breach that leaks the user’s passwords. Subsequently, the attackers use the passwords on the service provider’s site and other sites, too, as inevitably, the user has used the same password across many sites.
Passwords — A waste of IT resources
From an IT perspective, currently, passwords are one consistent support overhead for IT departments globally. It is estimated that between 5 percent to 15 percent of resources are used for password management and credential management. Noting that the function could be automated in many circumstances, this could constitute a wasted resource.
Imagine a world where we don’t have to remember the password, but we still achieve secure access to what we want. We don’t have to change the password every time the company that provides us with the service gets breached. We don’t have to store many passwords and remember which one should be used for which application or website.
Well, this is precisely the conundrum that the major Internet companies are working on to solve so that users can access systems seamlessly but securely. It’s anticipated that considerable progress should be seen in this area within the next three to five years.
Biometrics used to be so prohibitively expensive that it was impossible to adopt fingerprint, facial recognition, or any other biometric platform for authentication purposes. But the rise of the smartphone has changed that significantly. Biometrics has become so pervasive that at least half of the world’s population now has access to biometric technology. In saying that, we still use passwords and why?
It’s a simple answer: There has not been enough understanding, motivation, and adoption to secure users with something better than passwords because the level of education and language used between the people making the technology and the people consuming the technology is not aligning. If users demand a “passwordless approach” and suppliers and service providers recognize that demand, they will have to provide a passwordless authentication solution. This would quickly drive a move to the utopian authentication we all want.
It’s time for a solution — and that solution is passwordless authentication
So, if all of these components exist, why are we not using them to move to a more advanced solution? It is heavily dependent upon education and knowing how to present it to the users — how to get the message across in the right way. Some users believe that by typing in a password, they are safe; however, the password is the Achilles’ heel to most systems in many cases.
From a developer’s perspective, as the specification primarily will be to build a login system, and they don’t think to make the system passwordless or use a different authentication system, the loop continues. The jump needs to be made so that we all start to move to passwordless authentication.
We know that if a user does not have a password, they can’t lose the password, they can’t forget the password, they will not share the password, and they will not lock themselves out of systems as they would authenticate with something they have or are.
It’s possible to go passwordless with free products, but as we all know, we need the skills and, also, the assurance that free actually means free. We need the assurance that there are always people involved to build and support the systems. It is recommended that a paid-for solution be sought as the replacement of passwords is a critical function, and organizations will require support and assurance that the passwordless system is supportable and maintainable.
How does this all work?
In simple terms, the industry replaces a password with a person or a device; either you are the password, or the device you are using is the password together with something that identifies you to that device. So, the device knows it is you that is using the device.
There are many ways to do this, but without going into the technical details, technology organizations and entities have worked out to make the device authenticate the person every time.
When looking at what is already available, if you are a Windows user, you can link your credentials to Windows Hello, a built-in system that allows users to link hardware that takes biometric authentication credentials and links them to traditional credentials. This is not quite passwordless, though, as it’s based on an underlying password that could get compromised, but it is a step closer to removing the password altogether.
If you use iOS or other Apple devices, they have figured out long ago that passwordless was the way to go, so the Apple team has also invested in building facial and fingerprint recognition into phones, tablets, and laptops. Again, this is linked to a PIN or password, but it’s the steppingstone to eventually removing the password.
Suppose the developers adopt the passwordless theory, and the users are given the option to use passwordless. In that case, there’s no reason why people would choose not to start adopting this form of authentication.
What’s the future of passwordless authentication?
It’s a matter of adopting it. There is a way to have convenience and security simultaneously, which has been well demonstrated on several platforms. Many companies are now using this to make their users’ experience better and more secure. There will come a time when a user signs up, and the system handles the credentials securely and conveniently so that the user does not have to manage a password.
Featured image: Shutterstock