I’ll go ahead and say it: I hate passwords. I know that’s far from being a controversial opinion. But it’s just that I hate them with a passion. And that’s a huge problem because you need passwords for virtually everything now, from listening to music to reading emails. Of course, I use a password manager and biometrics wherever I can. But it isn’t enough: There are plenty of services asking me to create, update, or reset my passwords.
So, it’s normal for me to ask this question: Why don’t we kill passwords already? If we already have technologies that can do the same job seemingly without security- or management-related issues, why aren’t we living in a passwordless world? Unfortunately, there are several reasons why.
Why We Should Get Rid of Passwords
Before getting into the “why,” I’d like to go over the reasons why passwords suck in the first place. While I can certainly make a list of my own personal reasons, I think it’d be more beneficial if I listed more objective arguments (though, deep down, we all know why we want to leave passwords in the past).
The first reason is probably the most important reason against passwords: how insecure they actually are. Today there aren’t enough protections you can take to stop a truly dedicated hacker from getting into any of your accounts. If your password is lazy or basic, hackers can easily guess it.
But they don’t even have to. There are countless password dumps on the internet where hackers can get it from. Or they can crack it through brute force, steal it with a keylogger, or even phish it out of you.
And then there are the management issues. Creating secure passwords implies using a combination of alphanumeric characters, symbols, and formats that are impossible to remember. That’s why we have password managers—to generate and remember the access keys to our services.
Unfortunately, a lot of people don’t use them and prefer, instead, to choose weak or very common passwords that are very easy to crack. What’s worse, they reuse them across multiple services, opening the doors for hackers to access a myriad of platforms without that much effort.
The Alternatives Already Available
I know that I didn’t have an epiphany when I said that passwords are easy to crack and hard to manage. Plenty of people already realized that a long time ago. And many of them already devised alternatives so we can finally ditch this archaic system in favor of a more secure and convenient one.
The most ubiquitous involves biometrics, be it fingerprints or face scans. Just by pushing your finger on a screen or pointing your face to a camera, you can easily get access to a service or platform. There are 2 advantages to this passwordless method. For one, it’s harder to steal your fingerprints or, well, your face. And second, both finger and face scans work locally, which means that they don’t need companies storing passwords to verify logins.
There’s also the possibility of using physical tokens, which are basically like the keys to your home or your car. By using that token, you can wirelessly access many services without having to input a password. Naturally, these tokens are rarer and aren’t as widespread as biometric scans (which are already built into modern operating systems).
There are also some theoretical designs around passwordless authentication that imply using a combination of factors to define whether a user can access a particular service or not. Some of these factors include network address, behavioral patterns, gestures, and even geolocation. However, these designs aren’t mature enough to be widely used.
As you can see, there are alternatives to passwords. So why aren’t we all using them?
The Roadblocks to Passwordless Authentication
If we already have the infrastructure, the technologies, and the knowledge to embrace passwordless authentication, then there are definitely things preventing its widespread adoption. Which ones, you ask?
According to Andrew Shikiar, executive director of the FIDO Alliance (an organization that promotes authentication standards to reduce the world’s over-reliance on passwords), “The problem is we have a dependence on a really poor foundation. What we need to do is to break that dependence.” Following his words, using passwords feels natural right now, mainly because we have been doing it for so long.
So, one of the keys that explains why passwords are still around is because we have used them for decades, and breaking free from them will be full of friction. Think about it. Finger and face scans are already available but how many people do you know use them? And how many devices and services integrate them?
People might despise passwords but they are familiar with them, so they keep using them. And companies stick with that pattern as well, especially given the user experience issues related to new authentication methods. That’s why it might be hard for companies to push people toward passwordless authentication—because including the passwordless methods in a solution doesn’t guarantee that people will adopt them.
But there’s something more. As you surely know, passwords have account-recovery options that serve as backup systems in case passwords are lost or stolen. Passwordless methods still haven’t developed a system as convenient as those account-recovery options. Sure, you could adopt security questions or PINs as your backup, but that’s almost the same as using passwords.
That’s why passwordless designs are implementing methods that rely on a second device for backing up the authentication process. The way it works is fairly simple: Once you’ve authenticated yourself on a device (say, a laptop) using your fingerprint or face scan, you can grant access to other devices using that “secure device.” While that sounds pretty straightforward, it introduces a new problem: What happens with people who can’t afford (or don’t want) a second device? You either force them to get a new one or neglect them altogether.
Finally, there’s a distant possibility (but a possibility nonetheless): If biometrics end up storing data about your fingerprints or face in a remote server, what happens if someone steals it and uses it to pose as you? That feels like a long shot, but with the emergence of 3D printers, it’s easy to imagine hackers printing fingers with your prints to access diverse services.
All these factors are combined to thwart any attempt to finally kill passwords. Until we don’t deal with them properly, we can’t make the transition to a passwordless world, basically because these concerns are too important to ignore. In the meantime, passwords will have to do, as will the suggestions to increase their security: using unique passwords, installing password managers, and enabling two-factor authentication.