It seems like every week brings some sort of new password-related frustration. Usually it involves a data breach of some website where passwords weren’t encrypted and are now compromised. But there are other situations that come up, too, like the time I found someone had co-opted one of my email accounts for a Groupon account (I made a mad dash to change passwords that day). I’m sure my email frustrations aren’t any different from anyone else’s. But passwords are ubiquitous with internet use, even though it’s been proven time and again that passwords are the weakest link in the security chain. We have to deal with it until something better comes along.
Luckily, it appears that a password-free future may be on the horizon.
Today, the Trend is Around Authentication
At Identiverse 2018 in Boston, where the focus of the conference was managing and securing digital identity, the topic of a password-less world was a frequent discussion topic. I was intrigued. A few years ago, at RSA, I attended a seminar about the feasibility of eliminating passwords, and one of the panelists said the only way possible is to find a group of people who have never used the internet and start them off with some other type of authentication. Good luck with that; simply because passwords are so ingrained, that’s probably what we’d start with. I wanted to know, have we finally reached the point where we can be authenticated into our accounts without having to memorize an eight-digit code with a mix of capital letters, numbers and symbols?
That’s what the panel of the keynote address, “Towards a Future without Passwords,” addressed. Right now, the trend to protect our digital identities is to add a layer of authentication such as an SMS or fingerprint or even a program that recognizes our typing style. Yet, those all continue to backup a password. How, then, do we move toward a future without passwords?
Work of the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance has opened the gates to this password-free world. FIDO UAF (universal authentication framework) allows users to use a single gesture to log on to the devices you use every day, reducing the reliance on passwords. To bump up security, there is FIDO U2F (universal 2nd factor), which uses an external security key that anyone can buy online for less than $20. You plug it into your device as the second authentication factor to log in to certain websites.
I sat in the audience of this keynote and was impressed at how accessible this substitute was, not only for passwords but also for an SMS code. Watching the demonstrations and listening to the talk, it sounded to me as if password-free was just about here.
Bring Password-Free Authentication Online
There are still a few snags in the system. First, not every website and company offers the security key as a authentication option. Second, there are logistics to figure out in the enterprise space. FIDO’s frameworks tie the user to the device. That’s easier to do for someone new onboarding into the organization, but it may require the creation of all-new digital identities for current employees. There’s also the question about usernames—right now authentication is driven by a system that connects a username or email or a device to the authentication method. If we eliminate usernames, which is likely as we move away from passwords, there needs to be a system in place for users to claim devices.
Then there are the users themselves. As it stands, FIDO’s framework is straightforward and appears easy to use, but there are multiple steps to doing so, as well as having the security key. Users want to be able to log on with as few steps as possible. Research shows that barely a quarter of users take advantage of a second authentication step, even when it is easy. Will they want to switch to something that requires a multi-step process to read their email or check their Facebook page, even if it means not typing in a password?
The password isn’t going to disappear anytime soon, the panel agreed. We’re conditioned to using them, and companies will have to rethink their business model and consumers their whole lifestyle to make a password-free world exist. Still, there is some exciting research happening in this space, such as Trusona’s frictionless authentication system that connects through an app and uses dynamic QR codes.
There’s hope for a future without passwords. It’s just not clear when that future will truly arrive.