This is the second of a two-part series about the evolution of passwords. Earlier this week, The Edge examined the state of passwords and multifactor authentication. Now we move beyond to see what a passwordless world looks like and how organizations can transition to a passwordless framework.
Once upon a time, an eight-character password was all that was needed to protect a system. Cracking a password could take years. Of course, more powerful computers and more advanced algorithms came along and cut two ways: Today it takes no more than two-and-a-half hours to crack an eight-digit password using advanced algorithms and a brute force approach. In fact, the fastest processors can digest a mind-boggling 102.8 billion hashes every second.
Telling employees and consumers they have to create strong passwords with no other protection has become a fool's game. Not only is it impossible to remember complex passwords — especially when the so-called best practice is multiplied over dozens or hundreds of sites — it doesn't protect against phishing. While a 12- or 15-character password is more difficult to crack, and it's wise to use them — businesses must fundamentally rethink the way they approach passwords — particularly as far more powerful quantum computers appear.
"Organizations must look for opportunities to eliminate passwords altogether," says Joe Nocera, leader of PwC's Cyber and Privacy Innovation Institute. "The technology has advanced to the point where it's possible to use biometrics and tokens to establish trust and grant conditional access based on the token."
What's more, when passwordless systems are combined with enterprise identity and access management (IAM) and single-sign-on, convenience and security rise while costs drop.
To be sure, passwordless authentication is a boon to consumers and employees, who aren't forced to remember a password, reset a password every few months, and find themselves periodically locked out of an account. It makes it possible to use a smartphone or security key device to log into sites and transact without ever entering a password — because no password exists. In recent months, technology also has appeared to handle lost devices — and the tokens that reside on them — without reverting to a password.
No Free Pass
At the center of everything passwordless is FIDO2. The vendor-agnostic framework allows an individual to use a digital unlock system, such as Face ID or Touch ID on a smartphone, or voice or a PIN on a device to authenticate. The framework works across Windows, Mac, and Android. Once device authentication is complete, a private cryptographic key stored in the machine's Trusted Platform Module (TPM) handshakes with a public cryptographic key used for a website or application. Since the TPM cannot be modified and is inaccessible outside the device it is on, it delivers the absolute verification required. In other words, the person can be fully trusted.
It's a simple concept based on complex layers technology.
"It's both cryptographically strong, and it's tied to the user and the device," says Alex Simons, corporate vice president for program management in Microsoft's Identity Division. "So, while nothing is 100%, it's almost inconceivable that someone could break into it."
What's more, the FIDO2 framework has additional protections built into it. For example, a secure connection between cryptographic keys lasts only for a particular session. If a crook could somehow gain access to the specific code used for a session, it's invalid and gets rejected. This makes a man-in-the-middle-attack (MITM) impossible.
As a result, FIDO2 is gaining rapid adoption and making true passwordless systems possible. Although all the major players in the tech industry have signed onto the concept — including Apple, Microsoft, Google, Amazon, Intel, ARM, and Qualcomm — the migration to passwordless won't happen overnight. So far, most completely passwordless components have appeared for niche uses such as crypto exchanges, though eBay has emerged as the first major website to dispense with passwords entirely, and Microsoft has jumped on the passwordless bandwagon in a major way.
eBay transitioned to a password-free framework in 2020. First, it built its own open source FIDO server so it could retain maximum control over the authentication management. Then it set up second-factor authentication using FIDO's UAF protocol with push notification flow. So, when users log in with a device that supports FIDO2, they are asked whether they want to enroll in passwordless authentication. If they opt in, they register their biometric and, after that, the login occurs through the biometric. No username or password is required. For now, account recovery still takes place through a conventional email reset process, though eBay is working to make the recovery process passwordless as well.
Even more impressive is Microsoft's foray into passwordless. Full passwordless support is built into cloud service Azure, along with every Windows 10 device. The consumer platform, called Hello, is blazing a path to passwordless. More than 200 million people now sign into their computing devices every month without using a password, Microsoft says. The technology also allows provides access to services, sites, and more. Users enroll with a face scan and PIN, and on Touch ID-enabled laptops they can include a fingerprint as an additional layer of protection. If multiple users rely on a single device, it's even possible to create multiple accounts.
In addition, Microsoft has introduced a way to onboard more advanced authentication methods — and deal with a lost device or physical token. Its Temporary Access Pass steers clear of a password with a temporary code.
Authentication: The Next Generation
Within the next few years, when Apple and Google adopt full support for FIDO2 passwordless authentication on smartphones and wearables, the technology will almost certainly spill into the mainstream.
"Today's devices don't require the use of a password," states Andrew Shikiar, executive director and CMO for the FIDO Alliance. "The first step is taking the password out of the user's hands. The next step is taking passwords off servers. This will fundamentally change the user experience and it will represent a massive leap forward in cybersecurity."
At that point, a consumer or employee will dance across websites and services and log in seamlessly — and invisibly. Businesses will get out of the password reset business once and for all and improve security. Passwordless has major repercussions for IAM systems that today manage thousands of people, machines, and Internet of Things (IoT) devices across vast, multicloud environments and extended supply chains.
For retailers and others that depend on accounts, "The biggest benefit is a decrease in abandonment during the account opening process. You can also reduce liability due to keeping passwords in a database for compliance purposes while also reducing and even eliminating account takeover," says Mickey Boodaei, CEO of Transmit Security, a firm that offers an FIDO2-based solution that automates and manages enrollments.
Yet FIDO Alliance isn't stopping there. Last month it announced the launch of the FIDO Device Onboard (FDO) protocol, a new, open IoT standard that enables devices to simply and securely onboard to cloud and on-premise management platforms. The framework leverages asymmetric public key cryptography to build an any device to any device secure management system. Salah Machani, Director, engineering technologist at RSA, describes the specification as "a critical milestone toward securing the IoT supply chain and ecosystem."
Making the Move to Passwordless
For now, Forrester Research senior analyst Sean Ryan suggests companies start converting to passwordless through cloud and software-as-a-service (SaaS)-based applications, and ensuring that directory services and IAM systems can support it.
In addition, "If you have an IDaaS [identity-as-a-service] solution build off of that and use the proxy method to reach back in and protect the password credentials from exposure while letting people use a single-sign-on approach, that's passwordless," he says. "[Ultimately] you have to approach the task in steps and take a phased approach. There are some systems that you may not be able to modernize."
It's also wise to ensure that people are comfortable logging in using Face ID, Touch ID, Voice ID, and other biometrics. Ryan suggests using an opt-in approach and ensuring that biometric data always remains on the device and in the TPM. As organizations begin to spin up consumer-facing passwordless systems, it's important to ensure they work with all major web browsers and across all major platforms, cloud services, and operating systems. It's also essential to offer different ways to authenticate, including non-biometric methods such as a PIN that's stored in a device's TPM. For some, this can help alleviate privacy concerns.
In the end, it's not a question of whether passwordless is coming — it's simply a question of when. After years of fits and starts, promises, and disappointments, the technology framework exists to build a better — and far less cumbersome — authentication framework.
"Passwords may never go away completely," Microsoft's Simons says. "But the situation may become more like when a person goes to an ATM. All the back-end systems, including mainframes, become invisible. Five years from now, the majority of people using computing devices will not have to deal with passwords."