Let’s face it — everyone pretty much hates passwords. While many industry titans are making significant and noteworthy moves to eliminate passwords and offer a passwordless future, it still seems as if passwords are not disappearing from our lives fast enough. In fact, it seems there are more passwords to keep track of than ever before.
Make no mistake — passwords will definitely be replaced. But our view of this, based on research as well as complications with password removal, indicates that day is perhaps farther away than most people think.
What will a passwordless future look like and what will it take to become the norm? For a passwordless future to become the norm, a majority of both professional, as well as consumer organizations, will need to offer a method or methods that the majority of users can and subsequently do adopt while still securing information that needs protecting.
If Everyone Hates Password, Why Do They Still Exist?
This is a very good question. There is a number of reasons why passwords still exist:
- At a high level, passwords are fairly easy and cheap to generate and implement from the service provider standpoint.
- Passwords can subsequently be easily replaced if lost or stolen.
- Passwords are deeply entrenched in existing architectures and aren’t as easily removed as people would like to imagine.
- Passwords, while hated, are still a familiar means of authentication.
However, despite how ubiquitous passwords are and how entrenched they are in our daily lives, since around 2000, passwords have become a serious liability. Many organizations still do not follow best practices in terms of properly handling and persisting passwords and subsequently become victims of breaches — leaking this sensitive information into the wild for criminals to pick up and use. And users who create passwords are simply not good at creating good, strong, secure, and unique passwords across an ever-growing number of services which they need to use.
What are the Password Alternatives?
In recent years, a number of alternatives for passwords have been proposed. Each alternative presents distinct advantages and disadvantages. So of the disadvantages have also contributed to the delay in finding a good, solid, secure, and easily adopted replacement for the traditional password:
One alternative even many consumers are aware of as having been considered is biometrics. The premise and the advantage offered by this approach is that everyone is already carrying a unique token or tokens that can seemingly distinguish individuals — themselves! No single individual — not even identical twins — share the same retinal patterns, the exact same tenor and timbre of speech, not the exact same fingerprints.
But the promise of biometrics is also its exact downfall. Once compromised, how can they be replaced? Biometrics are very tightly coupled to every individual and cannot be changed. Biometrics can fall prey to a number of approaches criminals can and do use to circumvent the security they seem to offer including falsifying biometric information, coercion, and leveraging replay attacks. (A reply attack essentially uses the “digital fingerprint” or electronic token a biometric generates and replays that digital fingerprint or electronic token to the authenticator, allowing authentication to erroneously take place.)
While passwords as a classic authentication mechanism represent something you know, what about switching to something you have, like a smartphone? This seems convenient as almost everyone who owns a smartphone likely has digital assets they are trying to protect via passwords. Smartphones also tend to be very closely guarded.
But what if your phone is lost or stolen? While smartphone manufacturers have done a great job of making their devices secure, they also know a security tradeoff against usability exists. Often a smart thief can leverage that tradeoff in some way to gain access to smart devices. And while many smartphones are protected by biometrics, these mechanisms can fail prey to all the disadvantages already mentioned with regard to biometrics. Biometrics, especially on small mobile devices, are often backed up by short PIN codes that can also fall prey to a number of known methods of attack including often weak PIN codes set by the user, again for convenience.
One of the most promising approaches in recent years has been the use of a hard token such as a FIDO- or FIDO2-compliance YubiKey. This approach has been quite successful in deterring criminals from using an intercepting man-in-the-middle (MITM) or replay tactics as with other passwordless approaches mentioned above.
However, hardware tokens do represent something you have. What if your token is lost or stolen? In the case of a FIDO2 compliance token, a registered fingerprint is usually required to activate the hardware token at authentication time, so this provides an additional layer of protection. But regular FIDO tokens can still be lost or stolen and used in place of the now victim. And because no real standard exists around hardware tokens and hardware tokens still have not reached a threshold of adoption, for now, identity providers (IdPs) and service provides (SPs) continue to offer alternate forms of authentication that fall prey to any number of tactics, depending on the secondary forms offered or allowed in place of the hardware token (eg. security questions, SMS, email validation, backup codes, etc.)
So Really? When Will Passwords Truly Be Replaced?
Historically, it seems heavily entrenched methods, approaches, trends, or protocols follow a bit of a rule when it comes to being completely replaced called “The 30 Year Rule.” That is, it takes about 30 years for a truly new, groundbreaking approach to displace a heavily entrenched way of doing things.
Current alternatives to the traditional password — biometrics, smart devices, and hardware tokens — have been experimented with and implemented in various forms for about the last 10 years. Even if the 30 Year Rule were accelerated by some truly groundbreaking approach in say the next 10 years, passwords in some form on many computers are likely to never completely go away for another 15 to 20 years.
Until such time as a truly groundbreaking approach that is easily and universally adopted comes along, it looks like, unfortunately, the traditional password is here to stay in some form for the remainder of this decade at least.
About The Authors
Stan Bounev is the founder and CEO of VeriClouds. He is on a mission for solving identity fraud. Stan has over 20 years of product management experience in technology and financial services organizations solving a multitude of problems in identity and cybersecurity.
VeriClouds is a cybersecurity and data company that provides user context services to secure systems’ access and minimize account takeover attacks. The company detects the use of known compromised credentials and compliance checks against NIST 800-63B guidance.
Chris Olive is a seasoned and passionate cybersecurity strategist, evangelist, consultant, trusted advisor, and hands-on technologist with over two decades of cybersecurity consulting experience in the US/UK governments, the Fortune 500, and large international companies all over the world. Chris has primary expertise in Identity Access Management and Identity Governance & Administration along with professional experience and expertise in Ethic Hacking & Penetration Testing, Secure Development, and Data Security & Encryption. Chris is a frequent writer, speaker, and evangelist on a wide range of cybersecurity topics.