5th May 2022 marks World Password Day, but when could we start celebrating World Passwordless Day?

It is estimated that the average person has 100 passwords for his or her many accounts. If you take the advice of security advocates and opt not to reuse passwords, that’s a lot to remember!

In the digital economy of today, passwords sound and feel so passé… 

Yubico has been on a mission to make password-free logins a reality for all since 2016, when the team co-developed the first working reference design for the FIDO2 open standard that started it all.

How far are we from a future without passwords, and what will it take for us to get there, so we could one day celebrate “World Passwordless Day” instead?

CybersecAsia connected with Geoff Schomburgk, Regional Vice President, Asia Pacific & Japan, Yubico, for a deep dive into this question and more:

Geoff Schomburgk, Regional Vice President, APJ, Yubico

Why have passwords been so difficult to replace?

Schomburgk: “Username and password” has been in existence as a means of authentication for over 60 years, and not originally designed as a security measure. The populace has become trained to expect a password to get online and now almost all online services require a user account with username and password to gain access to services, e.g. social media, online shopping, frequent flyer programs, buying tickets and even parking your car. 

The average person has over 100 different accounts, with each requiring a password. Each with different complexity requirements and most demanding to be changed or updated regularly (because they are inherently insecure). 

We all have so many passwords, but that doesn’t mean that we like them. In fact, most people hate them and want to get rid of them!  However, with such an ingrained habit of relying on passwords to login into everything online for decades, eliminating passwords will be a long and slow process. As with most habits, change is difficult!

How does passwordless login actually work?

Schomburgk: “Passwordless” is a login method that does not require the user to enter a password at login. Instead, the user can use alternate methods, including biometrics (Windows Hello or FaceID), security key, embedded email links, One Time Password (sent via SMS) or a smartcard to login. Recently, the term passwordless has been associated with the FIDO protocol and a physical security key for login.

FIDO2 Passwordless login was designed specifically to be easy to use, highly secure and to work at scale.

At the login prompt, instead of entering a username as the first step, the user can select the option to sign in with a security key, such as a YubiKey. The user simply inserts the security key, enters the PIN, touches the key (to validate that it is an actual person, not a piece of malware) and that’s it. No username, no password required.

In your opinion, how is the evolving cyber-threat landscape – including high-profile cyber breaches, the COVID-19 pandemic etc. – impacting the adoption of passwordless authentication in the year ahead?

Schomburgk: In a nutshell, it has accelerated the awareness and adoption of Passwordless.

The increased threat landscape has highlighted the inadequacies of common login methods.  The most common threat is phishing attacks, which attempt to fool us into giving up our login credentials – our username and password.

Industry research shows that over 80% of successful data breaches are a result of stolen login credentials.  With a success rate that high, we have seen the intensity and sophistication of cyber-attacks increase and focus on phishing attacks.

In response, businesses, governments and consumers are all searching for a more secure way to login, but importantly one that does not make it more complex. The FIDO standard, passwordless login, offers the highest lRevel of security in a simple, easy to use way. 

Through the FIDO Alliance, the tech giants (Microsoft, Google, Apple and many others) are increasing the passwordless experience to a wider range of services, applications and platforms.  So, we can expect a real momentum for increased adoption of passwordless authentication in the year ahead.

What progress has the cybersecurity world made so far in advancing passwordless authentication? What insights can you share about the development of global standards like FIDO U2F and smart cards that can give us hints as to how FIDO2 will continue to develop?

Schomburgk: As described previously, the passwordless experience is being added to more applications, services and platforms as new releases ship. Both software and hardware vendors are adding the FIDO passwordless authentication capability to their products. Passwordless is now a standard feature on many platforms.

Yubico co-created the first FIDO U2F standard in 2012 in collaboration with Google. In doing so, we realized that bringing a highly secure authentication technology to market did not necessarily drive wide adoption. The need to bring all major vendors along was more important than the technology itself.

So, Yubico has brought together the major industry players under the FIDO Alliance to drive the development and evolution of the FIDO2/WebAuthn standard as the basis for modern passwordless authentication. Adoption of secure easy to use login, at a global scale has always been our ambition – to make the internet safer for everyone.

How can businesses begin to transition to passwordless authentication without overhauling their current infrastructure?

Schomburgk: Businesses may be surprised to find passwordless features already in place within many of their existing technology products, as an effect of the increasing threat landscape and industry response.

But the reality is that legacy authentication methods will be around for a while yet.  So the transition to passwordless is more of a journey than a destination.

This journey has several stages:

  1. Increase the awareness of passwordless experience
  2. Enable the features so users could adopt them
  3. Modify existing onboarding processes to accommodate passwordless as an option
  4. Retire old, insecure methods of authentication
  5. Help users understand the benefits of an easier to use login method (with minimal change required) and the added benefits of increased security

This journey takes time (and money) and involves change, so businesses are unlikely to overhaul all of their current infrastructure at once.

Therefore it is important to have a solution that supports the passwordless protocols and the legacy protocols on a single device. This simplifies the transition, enabling businesses to migrate their applications to Passwordless, one by one.