The Passwordless Future
For a long time in the world of computers, "security" has nigh been synonymous with "passwords". "Make complex passwords." "Don't share your passwords." "A member of our staff will never ask you for your password." These phrases, or those like them, have been repeated so often as to become second nature for many. Despite their pervasive usage, however, passwords represent one of the weakest links in the overall security landscape. In our attempts to enhance both security and usability, options other than passwords will soon come to be our primary methods of authentication. Let's talk about a future without passwords.
An Overview of Authentication Factors
Authentication is the process where we try to guarantee a user is who they claim to be. Passwords are an example of "something you know," also known as a knowledge factor. PINs, security questions, and tap sequences are all other examples of this factor. The reasoning is simple: to prove you are you, answer this question with the answer only you would know. Another factor is "something you have," or a possession factor. In this case, the application wants you to prove your identity based on something that only you would have access to. This includes email confirmations, tokens or certificates installed on your machine, or mobile phones using SMS or an authenticator app. The last major category is the inherence factor, or "something you are." These are inherent traits you possess that you are very unlikely to lose, such as your face, fingerprints, or eyes. If the app sees that you have your fingerprint, then it can be pretty confident of who you are.
Problematic Passwords
With that groundwork laid down, it is time to consider the challenges with passwords. These issues apply to all knowledge factors used for authentication. For one, consider the ease with which such a factor may be 'lost'. Passwords are difficult to remember, especially if you are trying to meet complexity requirements. Add to that the likely hundreds of different services each requiring their own password. This losing of passwords can pose a real cost to an organization, as well: significant chunks of IT helpdesk time are spent on password reset requests. Compare that with the other two factors discussed above. Misplacing your phone or your laptop with a software token is possible, but is much less common than forgetting one of dozens of passwords. It's much costlier to the individual, as well, giving them a far greater incentive to keep track of it. And then there are inherence factors, which almost nobody can lose. I must say, I don't think I have ever misplaced my fingerprints, face, or eyes when heading to work for the day.
For a second concern, we must consider the risk of someone malicious compromising the authentication factor. Many of the breaches we see are caused by attackers who acquire credentials they are not meant to have. There are numerous ways that this can happen. Applications that store passwords have too many things to protect their data, and some fail to do so. Passwords can be saved in plain text, or they can be hashed but without a salt, or they can use default encryption. This means that anyone who can gain access to the database is well situated to compromise accounts.
Users can also be the target of such attacks. Malware that logs keystrokes can share your credentials with an attacker. Network packet sniffers can do much the same. Phishing is a widespread problem where a bad actor impersonates a legitimate service and tricks users into simply giving away their credentials. All of this is made worse by the earlier point that passwords are hard to remember. Because of this, people often make passwords that are very simple. Even worse, they will use the same password for multiple accounts. Now, a data leak for a social media site could also cause your bank account to be compromised, or being phished for a video game account leads to someone accessing your credit card.
Again, we compare to the other two factors. While someone can take a possession factor such as my phone, it is a very visible event. My password can be compromised and leaked across the internet without me realizing a thing for months. My phone going missing I will notice in well under an hour. Moreover, someone across the world can theoretically access my passwords. Someone must find me in the real world to take away my phone or laptop. The inherence factors are nearly immune to this problem, for obvious reasons.
Password Better
To be fair to passwords, many of these issues can be mitigated to varying degrees. A password manager is an extremely useful tool I highly recommend. You can have long, complex passwords that are never duplicated, and yet you do not have to remember them because the manager stores them for you. There is a bit of irony in securing passwords behind another password, but many such managers are moving to include passwordless options for authentication. Multi-Factor Authentication is another a great practice that applications can add. Microsoft has said that adding a second factor on top of a password can reduce the chance of being compromised by over 99%. Users should also learn how to identify and avoid phishing and malware. Between these three things, you can be quite safe while still using passwords.
Leaving Passwords Behind
Still, why should we stop at 'good enough'? There are plenty of users out there who will continue to falter on these topics. Using passwords like "123456" and "password", writing their laptop password on a post-it note stuck to their laptop, and falling for every phishing email that comes through. And even those who follow all the best practices could still face the odd compromise when a database leak occurs. This is why big companies have been moving towards passwordless solutions over recent years, and the drive has increased in intensity of late.
Microsoft has begun promoting several of their own passwordless options and recently had a digital event highlighting their changes. Microsoft Hello allows your face to be your point of access into Windows, and to serve as an authenticator for apps that connect to it. The Microsoft Authenticator allows your phone to be your point of authentication, for those who do most of their work while mobile. Each of these options are also compliant with the FIDO2 specifications.
The FIDO Alliance has helped shape these specifications, and most all of the common browsers are now compliant with it. These standards decouple the steps of authentication, meaning that secrets are no longer being sent directly across the internet. In a standard authentication flow, passwords are being sent across the network directly to the application requesting authentication. Instead, under the FIDO2 standards, the authentication is done locally to a device, whether a PC, phone, or other hardware. Authenticating with either inherence or possession, the secret used for a given application is processed through secure cryptography, and a signed token is passed to the application requestion authentication. Within the application, it verifies that cryptography using its own registered secret. Even if some sort of phishing has led a user to authenticate with an imitation site, the authentication is limited solely to the domain that requested it, preventing a breach of the legitimate application. Even better, applications can enable this type of authentication through a simple Javascript API, lowering the barrier of entry for developers.
Passwords are a serious security vulnerability. There are steps you can and should take to better protect yourself when using them, including using password managers and opting-in to MFA when available. Even so, the best security will come from moving to passwordless solutions. Even now, there are options available to you that you can begin to employ, and you are likely to see more applications supporting passwordless on a regular basis. We are moving to a new phase in security, and passwords are quickly fading into obsolescence. The future truly is passwordless.
