From the earliest days of recorded history, people have relied on passwords to prove their identity and maximize security. Ancient Roman historian Polybius records how Roman soldiers used a complex system of passwords inscribed on wooden tablets to verify sentries were in the correct outpost at the right time and similar stories can be found in ancient civilizations all over the world.
In the classic folk tale Ali Baba and the Forty Thieves, the hero enters a cave of wonders after overhearing the magic password from a gang of bandits: “Open Seasame.” When his brother enters the cave, he forgets the password and is trapped forever inside. He could’ve done with a password manager.
When the first computers were developed, passwords took on a new meaning. Passwords were the ideal way to keep devices and applications secure, allowing computers to verify identity with a string of characters and numbers quick to input through a keyboard and easy for the computer to recognize.
Today, passwords have never been more important. We rely on passwords to access almost every facet of our digital lives, especially our work lives. For many people, a normal workflow means accessing dozens of applications and different services, each with its own unique account and password to remember.
This can lead to a lot of frustration, and security risks. The average employee has 191 different passwords to manage, making it an impossibility for most people to be able to remember all of their passwords. This causes people to reuse the same password across multiple accounts and use easy to remember passwords that are just as easy to guess.
Recent research from Dashlane tells us that 30% of employees are likely to be reusing passwords on business accounts, with 22% of those using their personal passwords on work accounts. This is a significant problem for businesses: weak passwords mean that accounts can easily be accessed by cybercriminals, putting important business data at risk of compromise.
These inherent problems with passwords have led to many experts and organizations developing ways to build a future that is entirely passwordless. But how would a passwordless future work, and could having no password at all really be more secure?
What Is Passwordless Authentication?
Passwordless authentication comprises a range of methods that allow you to securely access accounts without the need to remember a password.
The most common method of passwordless authentication today comes in the form of Single Sign-On solutions (SSO). With SSO in place, you only have to sign into one application, such as your Office 365 account, or a SSO provider, to gain access to all of your company accounts seamlessly, with no passwords required.
Single Sign-On isn’t a ‘true’ passwordless experience, however. You still do require that initial sign in for the system to work. But it does make life easier for users, by reducing the number of secure passwords they need to remember. You can read more about SSO and how it works here.
Other common methods of passwordless authentication involve using biometric controls, such as FaceID or TouchID, to gain access to accounts. Or, using a second factor of authentication, such as a code sent to your email address or to your smartphone.
True passwordless authentication, though, requires a change in the underlying security technologies that govern how we access our accounts. The FDO2 standard is a type of passwordless authentication method that replaces the password entirely with a fingerprint reader or digital key, which could include a token, a USB stick, or even your smartphone.
Many big companies including Google are working towards integrating this standard with their products. In 2019, a Google Product Manager told the Verge, “The world that we’d love to see is one where you don’t even have to do a traditional authentication with say, a password.”
Microsoft have also begun to roll it out across their devices, and many other organizations are likely to follow suit. But how secure can a future without passwords really be?
Is Passwordless Authentication More Secure?
In a recent article, we explored how SSO is more secure most of the time than using passwords to authenticate access. Moving away from passwords means that all the security issues that weak and unsecure passwords can pose to both individuals and businesses are greatly reduced.
80% of data breaches today start with a compromised password. Password compromise can occur in a few different ways; weak passwords can be easily guessed, or attackers can find databases of breached passwords and use those to gain access to accounts which use the same password.
In addition, phishing attacks often target users with fake log-in pages and emails requesting password resets, with the aim of tricking you into giving away your passwords and getting access to your sensitive accounts.
Moving away from passwords to more secure methods of authentication, like fingerprint scans, greatly reduces these risks. Even using a second factor of authentication (something you own, like a smartphone) to authenticate your identity is far more secure than just relying on your password. At the end of the day, any other method of authentication will be more secure than using 123456 as your password.
For this reason, we’d recommend all businesses use multi-factor authentication to secure important company accounts. You can find out more about multi-factor authentication with our guide here.
For businesses, there are many benefits to passwordless authentication. It reduces the risk of attack, as we have already covered, but it can also save admins’ time and resources, as they would no longer have to deal with password resets and maintenance. Single Sign-On vendors like Okta also promise more visibility and scalability with passwordless authentication.
Passwordless access also has another important benefit: it’s far easier to use. Users no longer have to remember potentially hundreds of complex passwords, and will have greater peace of mind that logging into accounts will be safe and secure.
It is important to remember however that no type of authentication is ever 100% secure. If we moved away from passwords as a security standard and towards SMS authentication for example, it is likely that attackers would spend more time looking for ways to crack authentication codes, or trying to execute more sophisticated phishing attacks. There are already reports of cyber-criminals looking for ways around two-factor authentication security protocols.
Biometric controls like fingerprint scans are the most secure way of protecting accounts, but we are a still a long way from every user having the technology available to use biometric controls to access every account.
Are Passwords Really Going To Disappear?
These problems mean that it’s unlikely that passwords will disappear entirely anytime soon. There will be continued security risks associated with passwords for some time to come, as we transition from the use of passwords to more secure authentication methods.
In an interview with Expert Insights, Terence Jackson, CISO at identity management provider Thycotic, said that he believed passwords would be around for some time to come.
“I think the demise of the password has been greatly exaggerated,” he said. “In regard to end users logging into their devices, absolutely passwords are on the way out. But there are often forgotten passwords. If you look at most organizations, they have tonnes of systems, and a lot of the authentication that happens isn’t necessarily humans logging in or interacting with passwords. For example, there are application to application passwords and developers put passwords in scripts that are running other services. Those passwords are probably not going anywhere anytime soon.”
This is an important point which cannot be glossed over. Passwords are an integral part of every company’s security stack, and even though we may be moving to a passwordless future, it’s still important that we manage passwords safely and properly throughout the organization.
Creating a secure password policy for your organization is critical for compliance, employee safety and the safety of your customers. And it doesn’t have to be difficult, especially with the use of a dedicated password management solution. We’ve put together a guide to how you can create a secure password policy for your organization here.
How Can Your Business Achieve Passwordless Authentication?
Today, the best way for your business to achieve passwordless authentication is with a Single Sign-On (SSO) solution. With SSO in place, your employees can access all of their important company accounts without the need to remember multiple, complex passwords.
Users simply need to verify their identity once in one application, either through a biometric scan, numeric code, or with a traditional log in, to gain access to all of their accounts seamlessly. This makes life much easier for the end user, while also providing important security benefits, like greater account controls and more granular security visibility for IT admins.
SSO solutions are the top way you can achieve passwordless authentication for your organization today. If you’re interested in finding out more about SSO, we’ve put together a list of the top SSO providers for business, which you can read here.