Is life without using and remembering complex passwords possible in the pandemic-era digital economy? This 2FA expert says yes.

Online passwords are like insurance: you know you need it but would life not be easier if it was not a necessity?

Cybercrime has become so sophisticated but the bottom line is that we are relying on decades-old technology to secure our most sensitive data when security threats have evolved past their protection.

So, despite the poor security and usability concerns, why are we still using passwords? 

The problem with passwords

Passwords have been the primary method of authentication used to protect data and accounts from unauthorized access for decades. However, exercising proper password hygiene has been the problem.

According to recent research the average person uses around 100 passwords. It is impossible for individuals to create unique and strong passwords for every single account, which is why many users end up adopting poor habits like re-using simple passwords across accounts, writing passwords on Sticky Notes, or saving passwords in online address books and unsecured files. In fact, the number one password of 2020 is still 123456.

When it comes to security, even complex passwords do not make the cut. When an account takeover occurs due to compromised credentials, every account that the compromised password was reused on is also vulnerable to a takeover. Stolen passwords are also sold on the dark web where hackers can leverage them for future phishing attempts, account takeovers, and overall wreak havoc on unsuspecting victims.

Nevertheless, there is still a lot to like about passwords, so let us not throw the baby out with the bathwater just yet. While passwords may offer poor security and usability, they are still widely used for a few key reasons due to their portability, compatibility and interoperability.

Passwords allow users to access any site, on any device, from any location, and no matter what, it never changes the user experience. Until we can provide an alternative solution that does the same, we will never be able to effectively eliminate passwords.

Is MFA enough?

Multi-factor authentication (MFA), which requires a combination of multiple forms of authentication to prove that you are who you say you are, can come in the form of something you know like a PIN or password: something you have like a physical security key or a smart card, or something biometric like a fingerprint or retina scan.

It is important to note that not all MFA is created equal, which can leave users frustrated with the hindered user experience. In fact, most of the common MFA solutions deployed over the last 20 years, such as SMS, email, and mobile phones—were not originally designed with superior security in mind. Instead, they were designed to offer a relatively simple user experience by tapping into technologies that most people already had access to like email and mobile phones. 

Although any MFA is better than none at all, most methods have their pitfalls. For example, SMS one-time codes are either hard or impossible to use if you are in an environment that prohibits mobile devices or does not have any signal reception.

Preventing account takeovers

Stolen credentials and phishing attacks are the main causes of account takeovers. To do away with passwords, identity authentication has to be solved at scale, with strong phishing-resistant security and accompanied by a seamless user experience that is natively supported by all operating systems and browsers working across all modern devices.

The answer could like in open authentication standards such as FIDO2 and WebAuthn that allow for interoperability at scale and rely on public-key cryptography with a one-touch user experience.

WebAuthn was the first global standard for passwordless web authentication and it is now supported by many platforms and browsers. It is paving the way to a world of highly secure password-free authentication, all while being extremely easy to use.

With WebAuthn, users no longer need to rely on the weak security of passwords, nor the poor user experience. Yet, WebAuthn and FIDO2 deliver on all of the portability, interoperability, and backward compatibility required to successfully eliminate passwords at scale.

Going forward, users can expect services to offer WebAuthn strong authentication methods, including the option to use security keys or built-in platform authenticators, like biometric readers, to protect their online accounts. Microsoft Azure Active Directory was the latest major corporation to enable passwordless login for its millions of users.

A passwordless future?

Now is the time for our systems to evolve past the well-built 1960s veneer and develop a set of credentials assigned to us, by us, for us, or for our use, that is still part of an access solution framework. Instead of having one personal computer or mainframe, we now have thousands of apps, systems, websites, programs, ERP systems and so on, all grappling to understand who we are and whether we should be allowed access.

While unique and complex passwords—created by users, stored in protected and secure password manager vaults—are a step in the right direction to secure access to valuable online accounts, it is clear that we must find our way beyond passwords.

The journey to a passwordless future is a transition and it will not happen overnight, but all things considered, we have a promising future ahead where the only ‘password’ required for all of your devices and online accounts lives on your keyring and not in your memory.