Passwords are Dead. Long Live Passwords

By: Nathan Sweaney, Security Advisor for the RSPA 

In 2004, Bill Gates said that passwords wouldn’t be around much longer. In 2011, IBM said that within five years, you’d never need a password again. In 2013, Google’s information security manager said, “Passwords are done at Google.” And yet most of us have more passwords today than ever before. So, is the concept of a password-free life just a shared delusion of the tech giants? Maybe, but I think there’s still hope. 

To understand passwordless authentication, it’s helpful to first think about multi-factor authentication (MFA). By this point, we’re all familiar with key fobs and 6-digit text messages as an additional form of authentication to validate our IDs in cyberspace. But we also use different forms of authentication in the physical world. For example, the physical control of your car key implies your ownership of the vehicle, and we don’t require an additional authentication factor when you start the car. But your home or business may require both a key and an alarm code. Your debit card requires both possession of the card and a PIN. 

The different factors of MFA are traditionally based on 1) Something you know (passwords), 2) Something you have (a phone or physical token), and 3) Something you are (biometrics). A less known but increasingly common factor is behavior-based. For example, you may have noticed your bank requiring additional controls if you log in from an unusual location. To ensure strong authentication, we add factors that mitigate the risk of other factors being bypassed or stolen.  

Passwordless authentication is built on technologies that already perform some measure of identity validation via various factors. You already control your phone, access to your email, and other personal systems that have authenticated you, so passwordless authentication takes advantage of that prior validation of your identity.  

One common technique is for a website to request only your username and then email you a code or link to complete the login.  Access to the email account validates your identity.  Another common use case is implementing Bluetooth-based systems that automatically log in a medical professional when they approach the PC in a patient room.  Apple’s Face ID and Microsoft’s Windows Hello are other examples based on biometric factors as well as the fingerprint readers that many of us use on various devices. 

Several new authentication technologies and protocols, such as FIDO2 and WebAuthn, are making passwordless authentication increasingly accessible. These standards allow easy integration of various authentication factors into a wider range of systems. In the very near future, we may reach a point where you no longer have to remember all those passwords.