You press your thumb to the bottom of your phone screen, and it’s unlocked in a second. Why can’t we do that at the bank or when logging into Twitter or YouTube? What’s stopping us from ditching passwords altogether and turning to other methods? Read on to learn about the prospects of passwordless authentication and why we still must wait for it a bit longer.
Why we should consider going passwordless?
One of the main reasons is the fact that year after year, “12345” stays at the top of the most popular passwords list. Millions of people reuse absurdly simple passwords across multiple platforms, even though they are very easy to crack by using a dictionary attack. It makes passwords (and the people using them) one of the weakest links in the cybersecurity of any company or service. Users don’t want to put a lot of effort into them, and they rarely consider the implications.
Weak passwords are just part of the problem. What people do with them is even worse. Even if they come up with a more robust password, they reuse it throughout all their accounts. Tens of identical credentials mean that if one account is compromised, all of them are. Most users don’t have even basic password safety habits. Think of office workers who write their account passwords on a piece of paper and leave it on their desks. Or people who list their credentials in a notebook and carry it around with them.
To put it simply — it’s hard to trust users with their own passwords.
What are the alternatives?
There are many other ways to authenticate a user besides a username and a password. Most are not too difficult to implement and maintain. Here are the most popular ones:
Biometrics. Fingerprint and face scanners on our phones and other devices can serve as authentication devices for various platforms — and already do. This is a fast and easy-to-use method.
Temporary passwords. The service generates a code or a password and sends it as a text message to the user’s cellphone every time they want to log in. It’s a great authentication method for people who are not tech-savvy or don’t have a smartphone.
Hardware tokens. These small devices generate passcodes or connect to a computer for authentication. Some also double as a fingerprint scanner – users can choose which method they prefer.
Magic links. Whenever a user wants to log in, they enter their email, and the service sends them a magic link. Clicking on it logs the user into their account automatically.
Going passwordless would improve user experience — using a fingerprint scanner is a fast and reliable authentication method. It would also mean that there would be no more password reset procedures — IT departments throughout the world would be very grateful. Also, when it comes to biometric authentication, you don’t need to remember anything at all. It means there are no post-its on the computer screen or notes in your planner. You can’t lose it, steal it, or forget it.
Why we still can’t throw away our passwords?
Alternatives to passwords are not complicated to implement and use. Unfortunately, all of them raise serious security concerns of their own.
Data leaks, man-in-the-middle and SIM swapping attacks, keyloggers, and spyware — all of these make using your cell phone or a different online account for authentication extremely risky. Your phone battery may also die at the worst possible time, or you can lose and destroy the device itself. The same could happen to a hardware token. If something happens to it, you will be locked out of your account. Getting and setting up a new one might turn out to be far more complicated than a classic password reset.
That leaves us with biometric authentication, considered to be the best alternative to passwords. We are already using it for unlocking our devices or authorizing a money transfer. The main problem is that it’s not as reliable and foolproof as we would need it to be to get rid of passwords forever.
Imagine that a service you use is breached. If you use a regular password and it is leaked, you can change it immediately, and if you haven’t reused it anywhere else, all your accounts are safe.
However, if the breached account used biometric data for authentication, it can never be changed. This means that every other account that you protect with your fingerprint is compromised. Yes, exploiting leaked fingerprint records is not as straightforward as passwords. But it’s still possible to spoof someone’s fingerprint, as researchers have already shown.
Lastly, social engineering is not going anywhere. Cybercriminals will continue to develop new schemes on how to trick people into giving them access to their personal and work accounts no matter what authentication method they use.
Therefore, the focus should be not on what revolutionary technology will eliminate passwords from our lives. The real question is: what will users and companies do once it does? Will they be able to recognize scams before it’s too late? Or will we find ourselves in the same spot years later, only with compromised biometric data instead of passwords?
It looks like passwords are here to stay for a little longer.
As authentication technology advances, cybercriminals come up with new ways to exploit its weaknesses. Therefore, security researchers must always be one step ahead and keep developing new safety mechanisms. For now, going passwordless still is a realistic possibility, but not until we are sure that our unchangeable biometric data can be stored securely.
The best solution for the foreseeable future might be to use two-factor authentication by default and offer a third factor as an optional extra layer of protection to those who want it.
Strong passwords are difficult to remember and a hassle to type in every time you log in. That’s why you should use a password manager that automatically stores and fills passwords whenever you visit a site or use an app that needs one. Get NordPass now and don’t worry about your passwords ever again.