Why it’s Time to Kick the Password Habit

Written by

Old habits die hard, as they say. Yet, countless behaviors once deeply ingrained into our lives have been abandoned and replaced by new norms. It’s hard to imagine waiting several days to develop a photo and see how it turned out. Or physically visiting a shop to rent a film, then rewinding it and bringing it back when finished – it feels alien now.

These leaps forward are underpinned by decades of hard work, collaboration and smaller steps in technological progress, eventually culminating in significant change at a societal level. We are currently experiencing a similar movement where, in the not-too-distant future, remembering and entering passwords to access websites and services will be another example to add to the list. A scenario where the youth of tomorrow will ask with a raised eyebrow: “Why would you ever do that?”

The answer, which is as true of passwords as photography and video rental services in the 90s, is that we had no better alternative. Many of our habits today are mere by-products of technology, offering us the best it can at a particular moment.

Now we have that better alternative to passwords, with the industry developing and adopting passkeys.

What Are Passkeys?

Passkeys are built upon open standards from the FIDO Alliance and W3C WebAuthn communities, addressing the security flaws and the scalability challenges of legacy authentication solutions – including 2FA solutions like SMS OTPs. Ultimately, this means giving people and service providers a far greater level of security and greater convenience, allowing users to sign in with the same action (typically a biometric or PIN) they use to unlock their devices dozens of times each day.

The industry is putting its support behind passkeys too, having played a major role in helping develop the standards. Google recently announced that passkeys are now available for all its users to move away from passwords and two-step verification, as has Apple. Windows 10 and 11 have long supported device-bound passkeys in Windows Hello – and passkeys from iOS or Android devices can also be used to sign into sites in Chrome or Edge on Windows.

There’s also momentum from service providers, including PayPal, Shopify, Hyatt, Mercari and Yahoo! Japan, to name a few, who continue to adopt passkeys.

Normalizing Fraud is Another Bad Habit

When the internet arrived and killed off innumerable analogue habits that seemed so ingrained into our lives, it also introduced a host of new digital ones. Password-based authentication offered a logical initial mechanism for people and businesses to add at least some protection against fraud. But unfortunately, its failings have been proven repeatedly, and its capacity to offer security has deteriorated over time.

With passwords and many 2FA methods, a user’s credentials are knowledge-based, meaning they can be shared and therefore, unwittingly given over to fraudsters. This enables the vast majority of social engineering attacks, from phishing to authorized push payments to social-engineered push fatigue – all of which attackers leverage to commit fraud and identity theft.

We’re now at a stage where fraud is so rife that it’s considered a cost of business, with companies prepared to write off substantial sums as they are powerless to do anything about it. UK Finance found that over £1.2bn was stolen through fraud in 2022, of which £485.2m came from authorized push payments – where victims were tricked into transferring money to fraudsters.

Given any other label, these figures would justifiably cause panic and alarm. But they don’t because we have become numb to them. We’ve seen this kind of fraud data and reports of wide-scale identity theft published with increasing frequency since the dawn of the internet and because there has been no obvious solution, we have simply come to accept it. This has become another bad habit we really must lose. Doing so can save people and businesses billions globally.  

We will never be able to eliminate all types of fraud. But we can eradicate one of its biggest causes by breaking this dependence on passwords in favor of possession-based authentication mechanisms such as standards-based passkeys.

Why Are Passwords so Hard to Quit?

Why then, if passwords and knowledge-based authentication are so imperfect, have they not been replaced already? Through my time at the FIDO Alliance, I’ve seen first-hand how difficult and nuanced this problem has been to solve. Many new techniques with good intentions and varying degrees of success have been bolted onto passwords. Some, like SMS OTP, may have improved security but ultimately do not do enough, and also sacrifice convenience for users.

Other techniques offer the highest possible levels of security but require a physical token, which has proven to be a hurdle for widespread adoption among consumers. There are examples and use cases where this higher level of security is critical, and the trade-off in usability is more than warranted.

In short, there has never been an acceptable option for businesses, service providers or consumers to increase both security and convenience at a large scale. Until now.

People Want to Kick the Habit

Getting people to adopt any new technology en masse is always a major challenge. But we are seeing signs that the appetite is there. A recent FIDO survey of US consumers found that readiness for passkeys is up nearly 20% since Autumn 2022, with over 57% of consumers saying they are interested in using passkeys to sign in to their accounts.  

Demand is even higher among those already preferring and using stronger authentication

methods like biometrics. We found that 65% of people who prefer biometrics to authenticate

themselves would be interested in using a passkey, while nearly half of those who prefer passwords would be.  

This is hugely encouraging and offers instructive insight into the minds of consumers for any business or service provider that may be considering how they could and should bolster their authentication systems.

At the Tipping Point of Change

Passkeys differ fundamentally from previous approaches to improve the authentication process because they reinvent what it means and looks like for mainstream users, and we have evidence that people indeed want them. For the first time, there is an authentication approach that enables businesses and service providers to improve security and user experience at the same time.

With major platform and service provider support, we are now at the tipping point of passkey adoption. It is time for businesses and service providers to look seriously at their authentication systems and ask whether they can kick the habit of an internet lifetime. In doing so, they can better protect themselves, their employees and customers online while reducing friction to a degree that can significantly impact their bottom line.

What’s hot on Infosecurity Magazine?