The death of passwords has been predicted time and again. Not without good reason: passwords are a weak link and a headache from both a security and operational perspective. But despite calls for their elimination, most people still use passwords today. Why has the passwordless dream not come to fruition yet? Why is now different? And what are the components of an effective passwordless solution?
The benefits of passwordless are made clear every day, whether it’s the frequent headlines flagging new password leaks or a study by Forrester Research showing that password resets cost companies an average of $70 each. The main benefits of passwordless are twofold:
- Risk reduction. Eliminating account takeover has become the main argument for passwordless authentication. According to the 2020 Verizon Data Breach Investigations Report, 80 percent of breaches use stolen credentials, either through database leaks or phishing attacks. When user identities are no longer tied to a shared secret like a password, the risk of account compromise reduces to essentially null. In a symmetric system, both the user and the system store a password, creating two points of vulnerability with equal yield to the hacker. In an asymmetric system, private keys stored by the individual are used to sign, while the public key stored by the system gets used to verify signatures. A hacker who compromises the system would yield nothing usable, since the public key on its own can only verify items signed with the private key.
- Ease of use. Many new products attempt to solve the risk issue by adding more authentication methods on top of the password, such as one-time codes or mobile push notifications. However, these approaches reduce user convenience. Multi-factor authentication may reduce the risk of account takeover, but it also impedes ease of use. Requiring frequent password resets does little in the way of security, and, according to Gartner, accounts for 20 percent to 50 percent of IT help desk calls. A more complex login process only exacerbates the strain on the user, whereas a passwordless login eases it.
Passwords exist today because the technology wasn’t available to produce a better authentication method. For decades, secure online transactions have relied on passwordless authentication in the form of digital certificates. These certificates are issued to corporations by certificate authorities that were not scalable to the size required to authenticate every login for every user. However, three recent technology advances in both hardware and infrastructure now let companies use digital certificates on an individual basis without requiring scalable certificate authorities, eliminating the long-existing barrier to passwordless logins and welcoming a more secure and convenient world.
- Proliferation of Trusted Platform Module/secure enclaves in hardware devices. When introduced in the late 2010s, they offered a safe place to generate and store private keys that can be used in the passwordless authentication process.
- Prevalence of device biometrics. In the event of device theft, the inclusion of biometric authentication on all modern devices makes it nearly impossible for anyone but the owner to access the contents of the device.
- Emergence of FIDO. The FIDO Authentication framework enables widespread adoption of PKI-based authentication across web applications.
The combination of these recent developments have eliminated the long-existing barriers to universal passwordless logins and have opened the door for a more secure and convenient world. Password managers and vaults create a seemingly passwordless experience by removing the user’s need to remember their login. However, by simply hiding the password, these tools do not solve the security issues associated with credentials, nor do they unlock the additional benefits passwordless authentication can offer.
Passwordless solutions should always achieve the elimination of passwords. A truly effective solution should positively transform, rather than replace, existing IAM infrastructure. Seamless integration with single sign-on (SSO) providers reduces the deployment lift, IT help desk costs, and user disruption and inconvenience.
For similar reasons, passwordless authentication should cover all login use cases, including desktop, web-based, native and mobile apps. If not satisfied, users will be stuck in password limbo, logging in securely without passwords in some locations while still having to use insecure credentials for others.
Passwordless solutions have arrived and they aren’t going anywhere. In fact, Gartner forecasts that by 2022, 60 percent of large and global enterprises, and 90 percent of midsize enterprises, will implement passwordless methods in more than 50 percent of use cases. So, as our society collectively moves to eliminate passwords, it’s vital that we consider what our passwordless future will look like. Although it may not eliminate all breaches and vulnerabilities, passwordless authentication holds the promise of dramatically reducing the vast majority of simple account takeover cases.
Jasson Casey, chief technology officer, Beyond Identity
