Passwords as a form of modern security are flawed, but what will a password-less future look like and are organizations ready? Kate O’Flaherty investigates...

Passwords are reaching the end of their shelf life. That’s according to numerous tech companies including Microsoft and Google, and the organization committed to reducing reliance on passwords, the Fast IDentity Online (FIDO) Alliance.

Passwords as a form of security are flawed: they are stolen, exposed in breaches, people forget them, use them insecurely and repeat them across services. Solutions such as password managers can help, but is it possible to move away from using passwords altogether, and are organizations ready for this?

Many experts believe that the future is password-less, and a large number of companies are already embracing this idea. In fact, according to Microsoft, 150 million people are using password-less logins each month.

What’s more, the move to password-less authentication could become widespread by as soon as 2022. By then, Gartner predicts that 60% of large and global enterprises and 90% of midsize firms will implement password-less methods in more than 50% of use cases – up from 5% in 2018.

However, the reality isn’t so simple. Many experts believe passwords will exist for a long time yet, at least in the form of PIN codes as part of Multi-Factor Authentication (MFA): which can be explained as using something you are, something you have and something you know to authenticate your identity.

In addition, many firms simply aren’t ready for a password-less future. Legacy infrastructure poses a huge challenge, and cultural and educational barriers need to be overcome.

The Password Problem

At a time when breaches continue to grow, there is no doubt passwords are causing problems for companies and users. The vast majority of data breaches are caused by passwords being hacked, stolen or otherwise manipulated, says Andrew Shikiar, executive director and CMO at the FIDO Alliance.

Shikiar argues that the whole approach to using passwords for authentication is “inherently flawed,” because the model is dependent on storing and matching ‘secrets’ on a server – which he says lends itself to “self-perpetuating problems.

“Anything on a server can and will eventually be stolen, which is why login credentials inevitably make it to the dark web where they are purchased by hackers who use them to try and access various accounts.”

Although MFA helps, Shikiar points out that more sophisticated attacks can also manipulate SMS one-time passcodes or authenticator apps through man-in-the-middle or relay attacks. “The safest method is to authenticate users locally to a device in their direct possession which they use every day,” Shikiar says.

The FIDO Alliance encourages reducing reliance on passwords with the use of biometrics such as facial recognition and security keys, something many firms are already doing as part of MFA policies.

Indeed, big consumer tech brands are picking up on both forms of authentication, with users of Apple’s iOS operating system able to authenticate their accounts using FIDO-compliant keys such as Yubico’s YubiKey.

These have many advantages and can be used in conjunction with facial recognition, for example, but the main hurdle with security keys is usability – as a physical piece of hardware, they can be stolen or lost.

As for biometrics, these have been easily thwarted in the past – for example, fingerprint recognition was fooled by a gummy bear – but the accuracy and usability of Apple’s Face ID and Touch ID have now led to more widespread use.

In general, the technology is more robust and less prone to errors, making biometrics a viable form of authentication for businesses, too. Alex Schlager, executive director and chief product officer of security services at Verizon Business, explains how biometrics are becoming more advanced. “As well as biometric capabilities including Face ID and Touch ID, body vibrations can now be used to recognize you.”

Gemma Moore, director at Cyberis, says biometrics are “very popular” for authentication under password-less schemes. “These have the advantage that a user does not need to manage separate devices to gain access to the resources they need, they only need themselves.”

However, biometrics are still not perfect. The main challenge is what to do when they are breached. “The problem with biometrics is that they are often used as a replacement for passwords,” says David Emm, principal security researcher at Kaspersky.

“If there is a breach, I can’t change it. If my password is my fingerprint, I am exposed for life.”

However, Emm concedes this is down to how organizations store the data. “When using Apple’s Touch ID, nothing is being transmitted off your device, so if your phone is secure, no one can get access to it.”

However, in cases where this does not happen, says Ken Munro, partner at Pen Test Partners, revocation is a big issue in the event of a breach. “If you have to revoke the fingerprint, how do you get another one?” he asks.

Biometrics are better than they used to be, with fewer false positives and negatives, but relying purely on them “is a problem,” warns James Bore, director at Bores Security Consultancy.

Bore says that although Face ID to unlock phones is fairly reliable because “people keep their smartphone on them,” laptops are different. “In some cases, you can bypass facial recognition by simply holding a photo up or using a 3D printer.”