Let's face it — everyone hates passwords. The good ones are hard to remember, and we've each got so many of them that some are bound to be bad. In enterprises and on websites, help desks and tech-support staffers spend far too much time resetting user passwords.
Most significantly, it's far too easy for hackers and identity thieves to steal, crack or phish passwords — a dire threat to companies on the watch for data breaches and network intrusions and trying to firm up their identity and access management.
The solution many security practitioners are looking at is to use passwordless authentication, which is seen as a far better and safer method to ensure only the right people have access to the right things and for the right reasons.
Yet 18 years after Bill Gates famously declared the death of passwords, we're still using them. That's because everyone understands how passwords work, everyone knows how to use them and every IT department in the world knows how to set up a password authentication scheme.
Until recently, you couldn't say the same about passwordless authentication schemes. They were hard to explain, even harder to set up and confusing to use. Their only redeeming feature was that they were (and are) more secure.
As a 2012 University of Cambridge research paper found: "Most schemes do better than passwords on security. ... Some schemes do better and some worse on usability. ... But every scheme does worse than passwords on deployability."
Passwordless authentication is now a reality
That changed in 2018 with the rollout of FIDO2, the widely used open-source standard for online authentication.
FIDO2 makes true passwordless online authentication possible, replacing it with smartphone push notifications such as those currently used by Microsoft and Google, or with hardware security keys that communicate with PCs and smartphones via USB, NFC or Bluetooth.
Either method is just as easy to use as a password, although security keys can cost the user anywhere between $20 and $90, unless they're provided by an employer. Multi-factor authentication is doable by combining these methods, especially when a login attempt presents risk signals such as when it’s coming from a location or device not previously associated with the user.
Offline, we're already well familiar with logging into our PCs and Macs and unlocking our smartphones using our faces and fingerprints. And in May 2022, Apple, Google and Microsoft pledged to extend the FIDO2 standard so that these device-based biometric logins will also log users into online accounts without a single password needed.
"When you sign into a website or app on your phone, you will simply unlock your phone," explained Google's Sampath Srinivas. "To sign into a website on your computer, you'll just need your phone nearby and you'll simply be prompted to unlock it for access. Once you've done this, you won't need your phone again and you can sign in by just unlocking your computer."
However, this Apple-Google-Microsoft form of passwordless authentication isn't quite ready yet. The firmest commitment this consortium can make is that "these capabilities will be available over the course of the coming year," implying any time until mid-2023.
In the meantime, there's no shortage of companies, Microsoft and Google included, that are ready to help you implement passwordless authentication in your company and on your websites. Passwordless relies on the ability to gather other attributes about a user's identity, such as a fingerprint or a device identifier. When an organization has those abilities, it can implement passwordless without compromising security.
How to implement passwordless authentication
One company in this space, Ping Identity, offers a four-step plan whereby your enterprise can set up passwordless authentication for your employees and customers alike:
- First, you need to centralize your employees' authentication protocols. Instead of having them log into various web-based services and applications one by one, implement an SSO solution such as those offered by Ping Identity so that each employee needs to log in only once per day. Then, mandate risk-based multi-factor authentication so that employees are challenged to present a second factor (such as a texted or generated code) when logging in from a new device, at an unusual time or from an unusual location.
- Second, slowly phase out the use of passwords for both employees and customers. The easiest way is to replace password logins with the fingerprint or facial recognition features in laptops or desktops. Alternatively, a smartphone (such as one equipped with Ping Identity's ShoCard ID Wallet app) can be used as an authentication factor through push notifications or one-time-passcode generators.
- Third, implement the FIDO2 standard on your websites. Hundreds of websites already do this, and as noted above, the standard will soon let customers log into those sites without a password.
- Lastly, go truly passwordless both inside and outside of your perimeter. Remove passwords even from account creation by advancing registration, verification and continuous authentication processes.
That last step is a big one, even in a well-managed enterprise. Some IT personnel may want to keep employee passwords as a backup means of authentication in case the other methods fail — although having any kind of password for high-privilege employee accounts creates a rather large risk.
Many organizations will be resistant to the change, and you’ll need to create instructional videos showing how it’s no harder than using a smartphone. Some users may insist that you retain their passwords as a fail-safe.
It's appropriate to go slow for their sake, and there's no doubt we'll be stuck with passwords for a while longer. But as passwordless authentication becomes easier, the hunger to adopt will only accelerate.