Farewell, Dear Password? The Future of Identity and Authorization

Many organizations are questioning whether eliminating passwords as an authentication tool would augment their overall security posture.

User authentication doesn't get much easier than the password.

But for organizations across the globe, poor password hygiene has become one of the most challenging security issues. According to Troy Hunt, creator of HaveIBeenPwned, an increasing number of data breaches and data leaks are a direct result of weak passwords and password reuse.

Verizon puts a number to that: More than 80% of breaches leverage stolen or weak passwords, according to its "2019 Data Breach Investigations Report."

"[Yet] despite their faults, passwords are enormously effective at one thing," Hunt says. "Everybody knows and understands how to use them. Above everything else, passwords are a very, very low barrier to entry."

Perhaps, but many organizations, along with their tech teams, are questioning whether eliminating passwords as an authentication tool might augment their overall security posture.

New Mentality

For that to happen, organizations need to understand that password elimination in and of itself is a journey rather than a destination, says Phillip Dunkelberger, CEO of Nok Nok Labs.

As a first step, organizations must determine what they are trying to accomplish. "Why are people eliminating passwords in the first place? If it's not protecting anything, why do I care if I have to use passwords or not?" Dunkelberger says.

If the goal is to make the user experience more convenient, the paradigm needs to shift from password authentication to a more seamless authentication. Organizations are typically looking at eliminating passwords either to improve the user experience or to improve security, but security and convenience don’t need to be mutually exclusive.

The reality is, keeping user information secure while ensuring privacy at a cost that fits within an organization's budget has made transitioning away from passwords to an alternative authentication solution a challenge. Even though people tend to think passwords are free, "password reset is very costly," Dunkelberger says.

A recent study from OneLogin found that resetting passwords set businesses in the UK back at a loss of 2.5 months per year. Businesses large and small are struggling under the strain of poor password management practices, and this failure of managing passwords and the mundane administrative tasks is costing businesses time and money.

According to Dunkelberger, the key to eliminating passwords is reducing the cost of alternative authentication solutions while providing privacy and using the best security in order to open a whole new world to the experience of the user. "The industry agrees that usernames and passwords need to be retired," Dunkelberger says.

Modern Thinking

One vehicle for transformation comes courtesy of the Fast IDentity Online Alliance (FIDO), which formed in 2012 to address interoperability issues in authentication devices as well as the growing password fatigue.

Increasingly, biometrics also are changing the way passwords are used and reducing the number of times users actually have to enter them. Rather than having to repeatedly enter a username and password, the FIDO standards leverage user devices combined with biometrics in order to authenticate Web services that have been FIDO-enabled in both mobile and desktop environments.

Using standard public key cryptography, "the FIDO protocol allows you to do three key things: discover what is on a device, enroll the user, and select the most convenient way to login. Then it provisions you with public/private key pair," Dunkelberger says.

FIDO's newest set of specifications, FIDO2, which consists of a WebAuthn and a Client to Authenticator Protocol (CTAP) standard, is being used by tech giants from Google to Microsoft in order to build out platforms with stronger credentials through the use of private keys. These private keys are said to be more secure than passwords because "there is always a server to keep a copy of your password," explains Dana Huang, director of engineering for Windows Security.

Microsoft recently announced that Windows 10 is going passwordless. "Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN," the company said.

This development follows in the footsteps of Apple, which released its facial identification technology, Face ID, on the iPhoneX. FaceID is reportedly 20 times less likely to be hacked than a Touch ID fingerprint.

A Dose of Reality

As much as some might hope, the evolution of authentication technologies doesn't necessarily mean passwords will disappear. But it does mean the mechanisms of authentication are becoming both more secure and more user friendly as these tools evolve.

In fact, Hunt says he'd make a gentleman's bet that five years from now we’ll have more passwords than we do today. "The interesting nuance, though, is what will it look like in terms of how we use passwords?" he asks. "How different will that be?"

As organizations continue to navigate the problem of passwords, it's also important to think about human behavior, Hunt says. Regardless of how authentication and identity solutions evolve, human behavior will more than likely stay the same.

"People are continuously finding these human ways to get around the technical barriers to entry. The really important thing for organizations to understand is that human behavior causes people to find the path of least resistance," Hunt says.

Related Content:

(Image by MiaStendal via Adobe Stock)

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio

Recommended Reading: