It’s high time that we finally pivot away to other authentication methods rather than using infamously vulnerable alphanumerics to protect our private data.
It’s common knowledge that passwords are one of the most widely used authentication methods for protecting our private data, however, it may be a surprise to know how common they actually are. As of April 2022, there were roughly 300 billion passwords in use, which averages to around 38 passwords per person¹. Hence, it is safe to say that passwords have played a major role in the world of cybersecurity. But that needs to change. And I am not the only one who thinks it.
Giant Tech companies, such as Apple and Microsoft, have made plans to make passwords redundant by announcing their intentions earlier this year, ironically on World Password day, to implement new, universal passwordless sign-in methods, such as biometrics including face and fingerprint recognition, across all of their platforms and devices².
Most of us might already be familiar with these types of authentication methods as they are most often used to unlock our android and apple devices, confirm payments, and more.
But why should we change to passwordless authentication methods? What’s wrong with passwords? Read below to find out!
The beginning of passwords.
In 1961, a pioneer in the field of computer science, MIT professor Fernando Corbato, came across a challenge. Back in the 1960s, all professors at the MIT university were using a shared computer system known as the Compatible Time-Sharing System, or CTSS³. Therefore, all of their private files were stored in a single disk which would be accessed through a common mainframe. Worried about the fact that their individual files could be seen and accessed by anyone, Fernando came up with a solution – passwords. He gave each user a password with which they can only access their own files and no one else’s.
As time went on and computers became more accessible, passwords were, and still are, used as the main authentication method to protect private files due to their simplicity, which is now seen as one of its major flaws. Sure, some websites make it mandatory to have an alphanumeric password with special characters but they bring up their own set of problems and there’s only so much you can do to prevent unauthorized access to data through passwords, which brings me to my next point.
What’s wrong with passwords?
Here are the 2 major problems that occur with the use of passwords –
- Passwords aren’t User Friendly – As mentioned earlier, an attempt to make passwords more secure by mandating users to include both upper and lower case characters, special characters, and numbers while also requiring a minimum password length, makes it less user-friendly. Here’s why – by making lengthy and complex passwords, not only are they hard to remember but as a result, we often end up saving them on our browsers/password manager (which can be hacked, stolen, and leaked) or end up resetting the password and using the same password across multiple websites…which makes it less secure.
- Passwords aren’t Secure – It might be challenging to strike a balance between security and usability because a password that is easy to remember is also insecure, and a password that’s secure is harder to remember. Secure passwords might not be easily guessed compared to insecure passwords, but both types of passwords can be hacked and stolen through, for example, a brute force attack and can further be leaked or sold to third parties. Moreover, passwords can be forgotten which often ends up in resetting the password which can be troublesome if the same forgotten password was used for multiple websites.
Passwordless ways of authentication.
In order to abandon passwords as a form of security and authentication, we need to create and implement/use other methods of securing private data. One of these security methods is already being widely used, most commonly, to unlock devices – Biometrics.
There are two types of biometrics that are often used for authentication – fingerprints and facial recognition. It is said that no two individuals have the same fingerprints, hence, not only does this make this authentication method more secure but it also removes the need to remember complex passwords. Moreover, it’s a faster process and improves user experience by removing the need to remember your fingerprint. Although this security method is much harder to bypass, it is not impossible, as fingerprints can be copied and replicated even though it’s hard to accomplish⁴.
Facial recognition is another biometric authentication method that uses a person’s face to verify his or her identity against already existing facial data. Facial recognition can be used by any device with digital photographic technology. For example, all modern models of iPhones are equipped with a TrueDepth camera system, neural networks, and bionic chips which all work together to project and analyze thousands of invisible dots in order to construct a 3-Dimensional map of your face and take an infrared image of it⁵. Similar to facial recognition, this method is a smooth, quick, and efficient way of authenticating a user and protecting your files. However, like any good authentication method, it has its disadvantages. For example, poor lighting can affect the efficiency of the system and might require multiple attempts to unlock the device/files. The use of facial accessories, such as face masks, scarves, hats, and more, can also lead to multiple unsuccessful attempts, and eventually, the system might ask you to remove them. Nonetheless, fingerprints and facial recognition are definitely a securer and safer way of authentication when compared with passwords.
Passwordless Multi-Factor Authentication
No, I am not referring to the security code or one-time password you get when you finally remember the correct password after multiple failed attempts, only to find out there’s an additional layer that requires you to enter another password, making you more frustrated.
This type of passwordless authentication method depends purely on a second device and eliminates the use of generating another password in the first place, which could’ve been accessed on the same device. It is slightly dependent on the use of biometrics and here’s how. For example, to log into your account, all you have to do is enter your email address and the system will send a push notification to the mobile number that is registered with the email. Unlike a normal 2-Factor Authentication where you are required to enter a password in the first place, and a security code or one-time password is sent to your email address which can be accessed on the same device, this type of authentication method requires you to open the push notification and approve the login attempt through 2 different ways – you will either be asked something in the lines of “We’ve noticed a login attempt from ABC device. Is this you?” and you’re required to choose yes or no. The second way is that the notification will contain 3 different numbers and you have to select the number that matches the number that is displayed on the device you are trying to log in to.
The push notification itself requires you to unlock the phone in the first place using biometric authentication, hence, it adds an extra layer of security. Furthermore, hackers or other third-party users who want to gain access to your account will find themselves in a difficult situation as they would need access to your phone and you⁶.
The only disadvantage this possibly portrays is that it is more time-consuming when compared to simply entering a password or using biometrics. Other than that, it is still considered to be safer and more securer than passwords.
The challenges of going passwordless.
One of the major challenges of using passwordless authentication is that it requires you to first create an account with a password before having the option to choose the passwordless authentication method. Another problem is that passwordless authentication will not be possible on legacy and older systems as they simply lack the technology to do so. Hence, if a company wishes to switch to passwordless authentication, replacing these legacy systems will become a necessity and would cost tens of thousands of dollars to do so.
Furthermore, there are legal and ethical concerns⁷ with the use of biometrics as a method of authentication as companies may not secure their employee’s biometric data or users might be suspicious of the software used to recognize their biometrics as, for example, the camera might never have been turned off after recognizing their face, which is a breach of privacy as the company might be using the camera to surveil or spy on them and can also be selling the data to third parties which can lead to even bigger problems such as identity theft and fraud.
There is no doubt that going passwordless would be a safer and smarter authentication method, especially as it guarantees a frictionless user experience and removes the threats of all password-based attacks as attackers wouldn’t be able to use passwords to log in simply because they won’t exist. This includes the two most dangerous attacks – Phishing and Brute Force attacks. Brute Force attacks would not work as there would be nothing to steal and Phishers wouldn’t be able to steal login credentials as they simply would not exist.
For those of you who are determined to use passwords, and we might be stuck with them for a while, I recommend using a password manager as they offer strong encryption and act as a place to keep all of your passwords in without having the need to memorize them. They also hold features such as generating and changing passwords in one click, and more. Even though they offer their own challenges, such as once hacked, all of your sensitive data will be vulnerable or your passwords might be being sold to third parties by the password managing companies themselves without consent, it is the best option for those who use and will continue to use passwords. But not all of us will be able to afford or want to pay for it.
With developments in technology and cyberattacks following suit, it is necessary that the required changes are made in relation to cybersecurity and that includes the end of passwords. It will undoubtedly take a while for websites and businesses to change from passwords to passwordless authentication methods but that time isn’t as far off as you might think…
Some facts and figures
Here are some facts and figures to help you decide whether you should go passwordless. What do you think? –
- 90% of internet users fear that their passwords might be stolen¹.
- More than 23 million people use “123456” (one of the most common passwords) as their password to protect their data¹.
- 78% of Generation Z have been found using the same password across multiple accounts and websites⁸.
- 73% of internet users believe that forgetting passwords is the most frustrating element of security⁸.
- 69.7% of internet users fail to update their passwords once a year⁸.
- 53% of internet users use only their memory to store and retrieve passwords⁸.
- Only 35% of Americans trust password managers¹.
- Every minute, 5-6 businesses become a victim of ransomware¹.
¹Krstic, Branko. “Impressive Password Statistics to Know in 2022.” WebTribunal, 6 Apr. 2022, webtribunal.net/blog/password-stats/#gref. Accessed 02 Nov. 2022.
²Bateman, Tom. “Big Tech Plans to Kill off Passwords Altogether. What next?” Euronews.next, 5 May 2022, www.euronews.com/next/2022/05/05/forget-passwords-apple-google-and-microsoft-say-you-won-t-need-them-at-all-in-the-future. Accessed 02 Nov. 2022.
³Holt, Rene. “A Short History of the Computer Password.” WeLiveSecurity, 4 May 2017, www.welivesecurity.com/2017/05/04/short-history-computer-password/. Accessed 03. Nov. 2022.
⁴Jirik, Pavel. “5 Popular Types of Biometric Authentication: Pros and Cons.” PHONEXIA Speech Technologies, 9 Sept. 2021, www.phonexia.com/blog/5-popular-types-of-biometric-authentication-pros-and-cons/. Accessed 04 Nov. 2022.
⁵Tillman, Maggie. “What Is Apple Face ID and How Does It Work?” Pocket-Lint, 4 Mar. 2022, www.pocket-lint.com/phones/news/apple/142207-what-is-apple-face-id-and-how-does-it-work. Accessed 04 Nov. 2022.
⁶Groeneveld, Rachid. “The Password Problem.” Nomios, 7 July 2021, www.nomios.com/news-blog/password-problem/. Acessed 04 Nov. 2022.
⁷Fernandez, Ray. “The Challenges Facing the Passwordless Future.” ESecurityPlanet, 25 Sept. 2022, www.esecurityplanet.com/applications/passwordless-challenges/. Accessed 04 Nov. 2022.
⁸Vojinovic, Ivana. “Save Your Data with These Empowering Password Statistics.” DataProt, 2 Nov. 2022, https://dataprot.net/statistics/password-statistics/. Accessed 05 Nov. 2022.
Honan, Mat. “The End of Passwords.” MIT Technology Review, 23 Feb. 2022, www.technologyreview.com/2022/02/23/1044953/password-login-cybersecurity/. Accessed 03 Nov. 2022.
Kinzer, Kelsey. “The Benefits and Challenges of Passwordless Authentication.” JumpCloud, 12 Jan. 2022, jumpcloud.com/blog/benefits-challenges-passwordless-authentication. Accessed 05 Nov. 2022.
Berhanu, Manny. “The Beginning of the End for Passwords.” FutureBusiness, 10 June 2022, future-business.org/the-beginning-of-the-end-for-passwords/. Accessed 03 Nov. 2022.
Rob. “The End of Passwords? Why the World Is Moving Away from This Traditional Method.” ROWND, 27 June 2022, blog.rownd.io/the-end-of-passwords-why-the-world-is-moving-away-from-this-traditional-method/. Accessed 05 Nov. 2022.