Locked Away: How Far Are We From a Passwordless Future?


These days, it seems like everyone wants to get rid of passwords. While a passwordless future may be here for specific products and services, we are still a long way from a truly passwordless world. With more companies exploring new authentication technologies like biometrics and additional multi-factor authentication (MFA) factors like authentication tokens or authentication apps, though, it’s clear that professionals are eager for a passwordless world. Darren James, Head of Internal IT & Product Specialist at Specops Software, shares insights and where we’re headed.

Google has allowed Pixel devices and Android 7+ device users to verify their identity with their fingerprint or screen lock instead of a password when accessing certain Google services. Apple introduced Passkeys in iCloud Keychain with iOS 15 and macOS Monterrey, replacing password-based logins with Face ID, Touch ID or a security key. In September 2021, Microsoft declared that the passwordless future had arrived for Microsoft accounts — users can remove passwords from their Microsoft accounts and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to their phone or email to sign into Microsoft services instead.   

How Did We Get Here? 

For the past 60 years, passwords have been a staple of computer security. Yet, professionals have only begrudgingly accepted passwords as a security mechanism for several reasons.

  1. Passwords can be cumbersome: The average person uses about 100 passwords, and for enterprise workers, their work-related passwords are just another set of passwords they have to remember. While password managers let users commit their passwords to a secure vault rather than to memory, a 2020 survey from YouGov and PasswordManagerOpens a new window found that 65% of consumers don’t trust password managers. This forces users to commit passwords to memory, and it’s no wonder that workers defy password recommendations by creating weak, easy-to-recall passwords that often consist of common words and phrases. 
  2. Passwords can be a major security risk: About 1 million passwords are stolen every week. A 2021 survey from PCMagOpens a new window found that 70% of respondents admitted to using the same password for more than one use, leaving each one of them open to multiple breaches. While weak passwords are easy for hackers to guess, phishing and social engineering schemes have also enabled hackers to steal passwords from enterprise help desks or employees themselves just by manipulating them.
  3. Weak passwords are expensive for enterprises: The theft of a single password can enable a data breach, and a 2021 IBM surveyOpens a new window found that the average cost of a data breach for survey respondents was $4.24 million. So, the dislike of passwords extends beyond the personal level to an enterprise-level, too. 

Despite this aversion, passwords are just too ingrained in our society and too heavily relied on to disappear overnight—in fact, while a plethora of new authentication methods has popped up over the last several years, passwords are still the most common method of authentication.  

See More: How Reversible Passwords Compromise Active Directory Security

Where Are We Headed? 

The most popular alternative authentication methods to eliminate passwords are biometrics and adding additional factors with MFA. While these authentication methods can add an extra layer of security to accounts and devices, cybercriminals will likely evolve their tactics to infiltrate new security techniques as they develop.  

We’re already seeing these authentication methods get hacked. In recent years, celebrities like Twitter CEO Jack Dorsey and actress Jessica Alba have been victims of SIM swap attacks. Hackers trick phone companies into mapping a phone number to a different SIM card that they can use to receive mobile verification codes and illicitly access accounts. Between April and May 2021, bad actors exploited an MFA flaw in Coinbase’s system that allowed them to receive customers’ two-step authentication tokens. From there, cybercriminals could access customers’ accounts and steal cryptocurrency from them.  

Meanwhile, a 2021 reportOpens a new window from digital asset exchange Kraken showed that $5 worth of materials could be used to bypass fingerprint authentication. If biometrics use grows and becomes more widespread, attacks on biometric authentication methods could also increase— but unlike your password, there is no (pleasant) way to reset your biometrics. With some state-sponsored hackers, significant financial resources could be funneled into developing methods to bypass biometrics and other MFA factors. 

As newer cyberattacks develop to disrupt new authentication methods, existing cyberattacks will persist. Phishing attacks will continue to rise since hackers can willingly trick users into surrendering tough-to-guess passwords. The same goes for social engineering attacks—the cyber attack on EA last year shows that help desks are still easily manipulated.  

See More: Passwords Have Led to Security Failure and Complexity – Is There a Way Out?

What Can We Do Today? 

As it stands, too many enterprises worldwide currently rely on passwords for passwordless technology to become ubiquitous quickly. So, the most likely standard to emerge will be using passwords as a required backup method for passwordless authentication methods like biometrics or as the first factor in MFA. 

Without a method to completely rid themselves of passwords, enterprises must continue to strengthen their password security to guard against cyberattacks. There are a few actions they can take to accomplish this: 

  • Institute a sound password policy and enforce compliance with it. Organizations such as the National Institute of Standards and Technology (NIST) have issued best practices for creating strong passwords that organizations can reference for their policies. Strong passwords can prevent hackers from guessing them outright. 
  • Block weak passwords and compromised passwords by employing a secure password dictionary.  
  • Use MFA as an added security layer to protect the password reset and user verification processes.  

Since a user is supposedly the only person who knows their secret password and can present it, passwords are intrinsically an effective authentication method and security mechanism. The problem with passwords is the humans that create them—we’re not inclined to use the optimal mix of letters, numbers and special characters that comprise a highly secure password. Luckily, enterprises can solve this problem by implementing better password policies and practices.  

While we’re all eager for the passwordless future, enterprises have a long time to go before they can stop relying on passwords to secure technology assets. In the meantime, we should use them to the best of our abilities. 

How can organizations make the shift to MFA and passwordless protection smoother for their employees? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to get your take on this!