Password authentication has been the de facto method for users to log into accounts for decades. Most every service, account, app, and operating system you use requires you to type a password to gain access. Fail to type the correct password, and it’s tough luck.
For a very long time, passwords were good enough. But as hackers and other nefarious organizations became smarter, more agile, and quicker to up their game, password authentication started showing its age. With a combination of brute-force dictionary hacks and weak passwords, hackers can gain entry into just about any account.
To combat that, 2-factor authentication (2FA) was created. And, like regular passwords, it did a fairly good job of securing accounts for some time. Of course, hacking techniques evolved rather quickly, and in no time, 2FA was no longer the be-all and end-all security system it was thought to be. That’s especially true for SMS-based 2FA, where nefarious users can intercept SMS messages to read the 6-digit codes sent by the service in question. With a username, password, and 2FA code in-hand, hackers have no problem accessing accounts.
What can companies and developers do in the face of growing threats to security?
Would you believe passwordless logins are the future of security?
What are Passwordless Logins?
First and foremost, let’s answer the obvious question. Passwordless logins are exactly what you think—logins that do not require the use of passwords. But how does this work? Essentially, passwordless logins employ authentication mechanisms that work to avoid having to enter a password to log into a service or app. In order to do this, passwordless systems use things like passkeys, login tokens sent via email, or even phone pop ups that allow you to control access to your accounts.
If you have 2FA enabled on your Google account, you’ve probably already experienced this when you receive a popup on your phone asking you to confirm or deny if it is you attempting to access your account. Tap “Yes,” and you’ll be allowed in. Tap “No,” and whoever is attempting to log in will be denied.
The passwordless part of that is the phone pop-up. Of course, at the moment, your Google account still uses a password for the initial login stage. Eventually, that won’t be the case. Instead, you’ll be able to use a physical hardware key or be sent an email with a link that provides the necessary access token.
Currently, the most widely accepted methods of passwordless authentication include:
- A one-time password (OTP)
- A secret PIN
- SMS- or app-generated 2FA codes
- Public key infrastructure-based (PKI-based) personal authentication certificates
- Biometrics, to complete the authentication process
The benefits of passwordless authentication include:
- An improved user experience
- No worries about password theft
- Protects against brute-force attacks
- Greatly improves your company’s cybersecurity efforts
- Can reduce business costs in the long run
Doing Away with Weak Passwords
Part of the driving force behind passwordless logins is weak passwords. Although password managers have been available (for free) to users for years, consumers are still hesitant to make use of them. Because of that, they’re still working with weak passwords, such as password and password123. If password is what you’ve chosen to protect your account, it can be hacked in around 5 seconds. If you were to bump that password to 12 characters (containing upper and lowercase letters as well as numbers and a symbol), the time it would take to crack shifts dramatically to around 34,000 years for a computer to crack.
That, of course, doesn’t take into consideration someone could trick you into handing over your password or find that handy piece of paper you’ve taped to the bottom of your keyboard that lists out all of your passwords.
With passwordless logins, that’s a thing of the past.
The Impact of Passwordless Logins
The biggest impact passwordless logins will have on the industry is the time involved with adding the feature to legacy apps. Consider this: At some point, password-based logins will become a thing of the past. When that happens, every application will have to be retooled such that it supports passwordless authentication.
For some businesses, that might not be an easy feat. This is especially so if a legacy app wasn’t built in such a way to accommodate new technologies. As much as we’d all like to believe every application being used today would be capable of making such a migration, there are plenty of businesses (around the globe) that depend on outdated technology.
That’s going to take considerable time and effort, especially if an application has to be completely rebuilt, from the ground up, so that it can meet the more modern (secure) authentication method.
Of course, it’s not just about time. As you start to make this transition with your applications and services, you must be prepared to address the various issues that come up. Not every user will be comfortable making the switch and it could fall to your company to help guide those customers, clients, and consumers. Do you have the staff and infrastructure to handle a deluge of support requests? And that assumes everything goes off as planned.
Let us introduce you to a man named Murphy, who has a law that essentially says, “anything that can go wrong will go wrong.”
You can be certain that such a big shift in your technology will cause issues. Even if you spend a good amount of time debugging the new features (or entirely new applications), it’s going to break. When that happens, you must be prepared to not only fix the issue but help those panicking customers who cannot access their accounts.
Along those same lines, users aren’t going to be very trusting of this new technology. The name alone might cause customers to question the validity of what you’ve done to your apps and/or services. Passwordless sounds insecure to the average user and you might have to spend some effort assuring them that this is the future of authentication and it’s considerably more secure than the traditional username/password. To that end, it’s important that you help your users understand that passwordless simply equates to them not having to type a password to gain entry to their accounts.
It’s Not Perfect
As much as the industry wants to proclaim passwordless authentication a home run, it’s far from perfect. For example, what happens if a user has their phone stolen? In the wrong hands, that phone can serve as a doorway to accessing accounts and services, even with passwordless authentication. With that phone in hand, a malicious user can intercept OTPs, PINs, and magic links to make it easy to log into a user’s apps and services.
On top of that, it’ll mean hackers shift their methodology to start focusing on hacking phones to gain access to those OTPs, PINs, and magic links. Should that happen, every phone manufacturer and mobile OS developer might have to boost the security of mobile OSes and apps or spend resources creating a backup solution for passwordless. Should someone’s phone be stolen, how do they access their accounts? Is your business ready to handle that eventuality?
And with the advent of AI and machine learning (ML), biometrics could become the next hacker target. Think about it like this: What if audio becomes the new passwordless darling? To log into an account, the user would only need to speak a phrase to gain access. With AI and ML, a hacker could create a deep fake of a user speaking their access phrase. All of a sudden, they’ve broken the security of that person’s account.
There are other scenarios, ones that developers and businesses have yet to consider, that could break passwordless authentication. Because of that, anyone creating apps and services that use this new authentication method will have to (at least during the early stages) be on their toes and ready to pivot at a moment’s notice.
The security of user accounts and applications should be a top priority for every business. And as passwordless authentication becomes a reality, it will be incumbent upon businesses to make this a smooth transition that won’t scare consumers away or cause confusion. You’ll need to make sure your project management game is on point; otherwise managing this transition could be a nightmare.
Passwordless is going to happen. Just make sure your company is prepared for any and all obstacles that get in the way of success, and you’ll be okay.