Passwordless security is here
The challenge with usernames and passwords, as we all know, is that we have to make them, remember them, maintain them, change them, store them and sometimes even exchange them with others. Passwords are a pain, but we need them. So what can be done about this?
Since we have passwords for virtually anything we need access to, the average user has over 100 passwords. This means that there are potentially 100+ exposure points per user if the passwords were compromised.
Additionally, passwords are generally not under the user’s control because they are set on someone else’s system, like a service provider. The service provider then has the responsibility not to lose the user’s password.
History tells us that the service provider inevitably has a breach that exposes the user’s passwords. The hackers then use the passwords on the service provider’s and other sites, as the same password has often been used on various sites.
Imagine a world where we don’t have to remember passwords
Imagine a world where we don’t have to remember the password, but we still secure access to what we want. We don’t have to change the password every time the company that provides us with the service gets breached. We don’t have to store a myriad of passwords and remember which one is used for which application or website.
Currently, passwords are one consistent support overhead for IT departments globally. It is estimated that between 5-15% of resources are used for password management and credential management related problems. Noting the ability to automate this function, this is a total waste of valuable resources.
Over the next five years, this is precisely the challenge that the major internet companies are working on so you and your users can access your system seamlessly but securely.
Biometrics use to be so prohibitively expensive that it was impossible to adopt fingerprint, facial recondition or any other biometric platform for authentication purposes, but the rise of the smartphone has changed that. Biometric has become so pervasive that at least half of the world’s population has access to this technology. Yet we still use passwords… why?
The answer is simple: there has not been enough understanding, motivation and adoption to secure users with something better than passwords. The level of education and language used between the people making the technology and the people consuming is not aligned. If users demanded no passwords and suppliers and service providers heard this, they would have to provide a passwordless solution.
Let’s change to better security
Many developers and dev teams don’t know about authentication systems because the specification says to build a login system, and they don’t consider making the system passwordless. Someone has to be brave and make the leap to all start to move to passwordless.
If a user does not have a password, they can’t lose the password, they can’t forget the password, they will not share a password they don’t have, and they will not lock themselves out because of all the things users do.
It’s possible to go passwordless with free products, but as we all know, we need the skills and assurance that free means free, and there are always people involved that need to build and support the systems. It is recommended that a paid-for solution be sought as the replacement of passwords is a critical function, and organisations will require support and assurance that the passwordless system can be supported and maintained.
So how does this all work?
In simple terms, the industry replaces a password with a person or a device. Either you are the password, or the device you are using is the password together with something that identifies you to the device, so the device knows it is you that is using it.
There are many ways to do this, but without going into the technical details, which will be too detailed for this article, some smart people at GETIDEE, Microsoft, Google, MIT and other good renowned technology entities have found a way to make your device authenticate you every time you need it to.
If developers adopt the theory of passwordless and users are given the option to use it, people will start adopting this form of authentication. Therefore, the whole system needs developers to adopt new methods of passwordless authentication.
This is what we already have:
- If you are a Windows user, you can link your credentials to Windows Hello, a built-in system that allows users to link hardware that takes biometric authentication credentials and links them to traditional credentials. Not quite passwordless as it’s based on an underlying password that could get compromised, but a step closer to obliterating the password.
- If you use an IOS or Apple device, they figured out long ago that passwordless was the way to go, so the Apple team has also invested in building in facial, and fingerprint recondition into phones, tablets and laptops. Again, also still linked to a pin or password, but a stepping stone to eventually removing the password.
The future is here now. There is a way to have convenience and security at the same time.
Disclaimer Insights and press releases are provided for historical purposes only. The information contained in each is accurate only as of the date material was originally published.