The passwordless revolution has begun. While passwords will most likely still be with us for many years to come, many organisations are moving to passwordless logins and promoting the benefits of dropping those passwords, and we take a look at what that will look like and why passwords may soon be a thing of the past.
With the news that Microsoft is allowing all of its users to scrap the traditional password altogether, “passwordless” login technologies are expected to surge in popularity. Passwordless logins are often touted as a more secure method of logging into accounts than traditional passwords, but how does scrapping the iconic password make an account more secure?
There are a number of potential passwordless alternatives to logging in with passwords, and most of these will use an authenticator app installed on the user’s smartphone.
An authenticator app is an app installed on the user’s smartphone that is designed to work in conjunction with a login page to help authenticate a user.
It means that someone logging into a user’s account will need access to the authenticator app, and thus access to the user’s smartphone.
Many users may already be familiar with these apps when using them for multi-factor (or two-factor) authentication. Authenticator apps can use a variety of different authentication methods, including
Authenticator apps are likely to become the most popular passwordless login method among home users. In which case, passwordless logins will involve a user entering their username on a login page before being prompted to open their authenticator app on their phone (which may itself be locked using a PIN or biometric ID) and authenticating using one of the options above.
Sponsored Content. Continued below...
You may ask why getting rid of passwords is worth it, considering users still need to go through the rigmarole of unlocking and opening their smartphones, sticking in USB keys, pushing buttons or using fingerprint ID etc.
The answer is two-fold, but are both linked to the same fundamental flaw; human nature.
Passwords are less secure. Many attacks on both business and home users are the result of data breaches, where cyber-criminals have compromised businesses and obtained and decrypted large masses of passwords belonging to its users. And despite persistent advice from the cybersecurity field, many users still insist on using the same password across multiple accounts, meaning such data breaches put multiple accounts at risk. Passwords can also be stolen via phishing scams and keylogging software.
Password are less convenient. The differing, evolving and often contradictory advice about passwords is a reflection on their convenience, or lack thereof. We’re told to create strong passwords, which can be difficult to remember. Many insist on also changing passwords periodically, which can lead to “password fatigue” where users instead default to simpler passwords that are easier to remember.
There are alternatives to authenticator apps. For example a computer itself may use biometric data belonging to the owner, or the user could use physical USB keys to authenticate instead of a password.
Sponsored Content. Continued below...
The more security conscious are likely to already have Multi-Factor Authentication or Two-Factor Authentication enabled, meaning two steps are required to login (e.g. a password and an authenticator generated PIN.)
2FA becomes a bit more complicated once passwords are taken out of the equation, since the user will still need to different methods to authenticate themselves.
However many who promote passwordless login argue that a secure passwordless login option negates the need for 2FA since the option itself will need at least two factors to successfully authenticate. For example, a user would need possession of their smartphone (something you have) and will need to unlock it using the phone’s PIN (something you know) and then could lock the authenticator app using TouchID (something you are.)
Sponsored Content. Continued below...
But of course, there are potential problems that arise here. Namely, what happens if you lose your phone, and with it the authenticator app you need to login. Microsoft do provide “back-up” methods to circumvent the authenticator app, they say. This can include facial recognition technology (which requires a laptop) or a physical USB key (if you have one) or SMS and email PIN codes (but these are often seen as vulnerable, thus making the passwordless option less secure.)
Additionally, those leading the charge on passwordless, with includes Microsoft, have been criticised for leapfrogging too deeply into passwordless far too early, when the technology is still in its infancy and vulnerable to attack. Microsoft is currently being criticized for vulnerabilities found in its Azure cloud computing service – a service that incidentally will play a vital role in their solution to passwordless logins.
But passwordless logins are likely to become increasingly popular way of accessing our online accounts. Let us know if you’d consider this type of technology or whether you’d rather stick to your traditional password (and, we hope, your 2FA solution.)