After headlines and heated discussions around large consumer breaches, the “death of the password” may be the second most common information-security (“infosec”) story out there. And it’s an old story: Bill Gates predicted the downfall of passwords over a decade and a half ago, in 2004. In the years since, many people, experts included, have regularly argued that new methods for verifying identity — from physical to behavioral to context-based authentication methods — would supplant the password and render it obsolete.
Yet we’re not only still using passwords, we’re using them more than ever before, thanks to the proliferation of accounts and devices. A scan of anonymized data from 20,000 inboxes in 2015 found that the average user had 90 online accounts and projected that number to double every five years… we’re just one year away from doubling again.
Are we finally, finally ready to enter a passwordless future? New open standards that shift us to web authentication for devices, rather than online services, may at last help us retire the password. But to understand why this time may be different, let’s first look at why passwords are so problematic and why we are still using them.
Memorizing passwords is incredibly hard — that same 2015 survey found an average of 37 forgotten password emails per inbox. Even if you use a password manager, there is still considerable complexity in picking and remembering strong, complex passwords. And if you happen to be one of the millions of users who uses the same password on multiple sites — for instance, securing your bank account with the same password as your subscription to MillenialMemes (not a real site) — the cash value of your bank account login is at least $100 on the black market while your MillenialMemes subscription is free. Such password reuse across multiple sites creates a dangerous “web of risk” that can make the breach of one service catastrophic across many sites.
For enterprises, it’s even more costly: Stolen passwords are the cause of 81% of security breaches — and each breach costs an average of $3.9 million. Even if a security break never happens, resetting forgotten passwords could cost large companies about a million dollars a year.
In many ways, passwords are the symptom of a bigger problem — our failure to build security into the internet from the outset. We’ve been trying to plumb and hack and patch the holes ever since, and passwords have simply been the least bad option, allowing us to secure one account at a time. The alternatives — VPN and hardware tokens, phone-based authentication, biometrics — have either not worked as well as billed, or been economically feasible.
Phone-based authentication is largely based on phone calls and SMS messages. Since these are tied to the user’s phone number, it is all too easy to social engineer or hack a cellular network so that the phone number is rerouted, allowing a bad actor to intercept messages and calls for a false authentication.
Biometrics — while seemingly the most convenient and most personalized to an individual’s identity — are all too easily forged, making users vulnerable to network hacks and malware. For instance, a high resolution photo is able to bypass some facial recognition software. Biometrics raise privacy and bias concerns as well. Research has shown biometrics are far less accurate at identifying women and people with darker skin. Facial recognition in airports is the latest biometrics effort to raise the perennial civil liberty concern: What happens when entire governments and other institutions maintain centralized databases of biometric data that have an implicit bias and can be stolen or abused?
Tokens — devices that authenticate a user — have the potential to replace passwords, but so far the economics have stopped widespread adoption. Because a user logs in separately to Twitter, Gmail, Facebook, to replace each of those services with a token would require buying dozens of $30 dongles.
But what if a user didn’t have to login separately to each service? What if they could have a single token to rule them all? A shift from “account authentication” to “device authentication” would allow exactly that. Instead of logging in separately to each account, a user authenticates their device — such as a laptop or mobile phone — and then from that device can access all of their online accounts.
It’s a one-to-many approach to authentication with the potential to improve user experience and security, no passwords required. And new standards consortiums, who have long sought a better alternative to the password, are driving the shift. In 2013, the FIDO Alliance drafted and implemented a number of open standards, including WebAuthn, a credential management API built natively into web browsers. WebAuthn provides a secure way to register a service to an authenticated device without transmitting passwords or user information to third-party servers.
For users, it is more convenient because they only need to “sign in” once to their laptop or mobile phone, typically with a hardware token (i.e. plug a YubiKey into their computer). This provides the very benefits of reusing multiple passwords — a single key to access all services — without the terrible practice of reusing passwords. And the user only needs a single key to access all services instead of remembering dozens of passwords.
And it provides strong two-factor or multi-factor authentication that uses a combination of who someone is, what they know and/or what they possess to verify a user’s identity. Because security is device-based and authentication happens locally, there’s no risk of passwords being stored on servers — one of the biggest causes of breaches. If a device is stolen, it still requires the token to access.
Of course, there are limits to device-based security. We’ve tried for a long time to make devices secure by default, but even our best efforts can be undone by a careless mistake, such as leaving a device logged in and unattended or having a hardware token stolen so that a hacker can authenticate an alternate device. Forcing users through the device registration process every time they move to a new device could create more friction in the user experience. Additionally, the cloud has also made us much less dependent on devices so that secure information can still be accessed outside of a local device. While we have made some progress away from the password, there is never a perfect set of security practices. There will always be risk.
But overall, device-based authentication and open standards, like WebAuthn, could be the holy grail of authentication: more convenience and greater security. It is only now possible because of open standards and widely available hardware that supports them. While the future of device-based multifactor authentication will likely incorporate a mix of methods, with an open standard it will become more interoperable. The industry also seems to be recognizing that hardware tokens are the most secure approach, whether that is a chip in a credit card, a SIM in a cell phone, an enclave in an iPhone or a Yubikey. In the old days, buying industrial strength hardware often meant reaching out to an enterprise software company, talking to an account representative, getting a quote, cutting a purchase order, and waiting a few weeks for delivery. Today, you can by industrial strength standards-based security technology from Amazon and have it delivered to your home in days.
We may never fully kill the password, but these trends mean that every password we do retire brings us one step closer to a better, more secure, tomorrow.