Many organisations in the technology sector are trying to move towards a future without passwords, but is this a reality or is it still a long way off?
With much of our personal and business lives now online, the average person has around 100 passwords according to recent research. It’s impossible for individuals to create unique and strong passwords for every single account, which is why many users end up adopting poor habits like re-using simple passwords across accounts or saving passwords in online address books.
Despite the best hygiene practices in the world, passwords still don’t cut it when it comes to security. When an account takeover occurs, every account that the compromised password was reused on is also vulnerable to a takeover. These passwords are also sold on the dark web where hackers can leverage them for future phishing attempts and account takeovers.
We are currently relying on decades-old technology to secure our most sensitive data when security threats have evolved past their protection. Despite the poor security and usability concerns, why are we still using passwords?
While passwords may offer poor security and usability, they allow users to access any site, on any device, from any location, and no matter what, it never changes the user experience. Until we can provide an alternative solution that does the same, we will never be able to effectively eliminate passwords.
Is Multi-Factor Authentication enough?
First, there were usernames and passwords, and then came multi-factor authentication (MFA), which requires a combination of multiple forms of authentication to prove that you are who you say you are. This can come in the form of something you know like a PIN or password, something you have like a physical security key or a smart card.
It’s important to note that not all MFA is created equal. In fact, most of the common MFA solutions deployed over the last 20 years, like SMS, email, and mobile phones, were not originallydesigned with security in mind.
The way we look we should look at solving the password problem is through an open authentication standard, FIDO2 and WebAuthn, which allow for interoperability at scale and passwordless authentication can only be solved at scale
How WebAuthn and FIDO2 prevent account takeovers
Stolen credentials and phishing attacks are the main causes of account takeovers and WebAuthn is able to successfully combat these types of attacks.
With WebAuthn, users no longer need to rely on the weak security of passwords, nor the poor user experience. Yet, WebAuthn and FIDO2 deliver on all of the portability, interoperability, and backward compatibility that’s required to successfully eliminate passwords at scale. Going forward, users can expect services to offer WebAuthn strong authentication methods, including the option to use security keys or built-in platform authenticators, like biometric readers, to protect their online accounts.
Microsoft was the latest major corporation to enable passwordless login for its millions of users for its Azure Active Directory.
Now is the time for our systems to evolve and develop a set of credentials assigned to us, by us, for our use, that is still part of an access solution framework.
While unique and complex passwords created by users, stored in protected and secure password manager vaults, are a step in the right direction, it’s clear that we must find our way beyond passwords.
The journey to a passwordless future is a transition and it won’t happen overnight, but all things considered, we have a promising future ahead where the only “password” required for all of your online accounts lives on your keyring and not in your memory.
Geoff Schomburgk, Vice President – Australia & New Zealand, Yubico