We’ve seen a push by smaller vendors and big organizations, like Microsoft and Google, to offer what they call password-less solutions. These solutions often constitute authentication solutions like biometrics and tokens.
All this industry discussion around passwords is positive! Organizations definitely have more awareness of the shortcomings of passwords these days. This has come from bad news and good news alike: there’s the constant coverage of data breaches due to password spraying attacks and Microsoft and Google constantly encouraging at everyone that it's time for a change.
But, at the end of the day nearly every account of mine still has a password associated with it—what gives?
(We’re focusing on enterprise accounts here, but we did realize while working on this that Lyft doesn’t actually require a password to access the app in a browser or when using the mobile app. But, Lyft is the outlier as all my other apps required a password, even Uber.)
I yearn for the day I don’t need passwords
The advent of biometric authentication like Face ID and Windows Hello makes logging into devices and accounts much quicker. However, biometrics haven’t changed the fact that whenever I go to make a new account, I’m still required to create a password.
We haven’t really made much progress in this area. I’m excited about the future without passwords, not what we currently have which is pretending we’ve eliminated passwords. Sure, we might be able to go about most days logging into accounts without needing to use our shared secret, but that doesn’t mean it’s gone.
We’ll know we’ve actually reached this magical password-less future when I can actually create a new account on some service without needing to come up with a new unique password. And while Lyft doesn’t use a password, I still need to be able to unlock my phone or access my email—both of which still use a password—but it is a step in the right direction. (Federation doesn’t count in this conversation, because your identity provider still has a password.) Password vaults might be the only companies not excited about this future, though.
Password-less experiences still held together by traditional authentication
Passwords remain the weakest part of the authentication process. If we have a password, our account is still weak to password spraying and credential stuffing attacks. It’s expensive to prevent these attacks, while costing bad actors very little to conduct them. (Yes, multi-factor authentication was created to make this more difficult, but implementation in organizations remains low.)
No matter the policies an enterprise might implement, someone in the organization will inevitably use an easy-to-crack password or one they’ve used elsewhere. Now, there are tools like Troy Hunt’s Pwned Password API that companies can try, but at the end of the day, users still must come up with a password they can remember. Organizations can also pair the API with the updated NIST guidelines around password creation, leading to a slightly better situation.
When I spoke with George Avetisov, CEO and co-founder of HYPR, about their true password-less solution (you log into applications using a mobile app with their SDK), he said that a CISO recently told him something interesting: “Passwords have been dead for a while, we’ve just been doing CPR on it.”
I definitely agree. We use two-factor and multi-factor authentication to make outside parties attempting to gain access to accounts more difficult, but all we’re doing is trying to protect our existing authentication methods. Unfortunately, this also leads to poorer user experiences in the name of security. MFA is just a stop-gap at best—though it’s definitely better than nothing.
I’d like to believe we’re making progress, but I’m impatient for things to really get moving. We need more vendors to come out with password-free authentication options—if I have to create a password at any point when creating a new account, it’s not password-less, no matter what anyone may argue. Awareness is good, but it’s time for the next step, already!
If you’re a vendor with a password-less solution, I’d definitely like to hear about it, and I’m sure others would as well! Or, if there are some great examples of password-free apps and services out there that I’m missing, let me know.