Throughout human history, passwords have been used from ‘watchwords’ in ancient Roman armies to the four-pin locks on our smartphones today. But as cyber security becomes an increasingly important concern, many experts point out that passwords may have outlived their usefulness.
The World Economic Forum found that cybercrime-related activities result in an estimated cost of $2.9 million every minute, and about 80% of these activities are attempts at cracking passwords. And with the advent of work from home, companies are more invested than ever in ensuring the security of their employee’s devices.
Microsoft is one of the companies leading the transition away from passwords towards alternative means of authentication, especially in their cloud computing technology. At the recent Microsoft Ignite Conference, the company announced that it was making passwordless logins a standard practice for their Azure Active Directory and that their recently launched FIDO2 based Passwordless Pilot Program had been updated to include a host of new features. Why is a tech giant as big as Microsoft aggressively pushing towards a passwordless future, and is it a viable prospect?
Cyber Security flaws of Passwords
A significant flaw of password-based authentication is its heavy dependence on the user. According to a survey by the UK’s National Cyber Security Centre, many people still prefer to set up easy, simple passwords that form a predictable pattern of numbers and alphabets like 123456. While easy to remember, those passwords come at the cost of being easy to hack using brute force techniques, enabling a potential hacker to assume the user’s digital identity to commit fraud, among other crimes.
Compounding the problem of a weak password is the tendency of many users to use the same password across multiple sites and accounts, ranging from their social media to their financial accounts. One study revealed that an average of just five passwords is used across multiple services by more than half of the respondents. One password getting compromised could spell disaster for a user, and even more so if they possess sensitive information about their company.
Many users may already have their passwords out in the open – the website Have I Been Pwned has a database of over 613 million passwords that data breaches have exposed. Passwords acquired through these breaches are usually sold en masse to other hackers that use automated attacks like credential stuffing to find a password match to an account.
Alternatives to Password Authentication
One of the more common ways to strengthen authentication is to use a password manager, especially those that generate unique passwords and automatically change passwords every few months. Changing passwords frequently greatly reduces the risk of user data being affected in the event of a password breach.
Two-factor authentication is another common method of going semi, if not fully, passwordless. This way, even if a potential hacker gets the user’s password without the authentication code on the user’s second device, they cannot bypass security, although this isn’t entirely foolproof. Another way to beef up cyber security is to enable biometric authentication on the devices that can support them since one’s face or thumbprint is a fairly reliable password.
On the other hand, Microsoft is pushing for different alternatives to passwords with their new Temporary Access Pass and Fast IDentity Online (FIDO). The Access Pass removes users’ need to come up with new passwords as it provides short term login codes whenever a login attempt is made. Whereas FIDO is developed by the FIDO Alliance, an open industry organisation that strives to reduce the world’s over-reliance on passwords.
Standards defined by FIDO are meant to get a user to abandon passwords entirely and are built into physical security keys like USB drives that work in conjunction with biometric information. The newest update, FIDO2, was announced recently, with improvements in cryptographic security and ease of use.
Transitioning to a Passwordless future
Even with a reported 200 million users who have moved to passwordless Microsoft services, that still leaves billions of users who prefer a password’s convenience. Cyber security key setups aren’t as intuitive, and procedures often vary across different websites and applications. Physical security keys can get stolen or damaged, and Bluetooth keys can run out of batteries right when one needs them. On a psychological level, generations have grown accustomed to using passwords, and so a behavioural shift at a consumer level would need years of investment.
Among those transitioning towards no passwords, the preference is to continue to have the option for a password login and the security key, which in turn defeats the purpose. However, Gartner has predicted that around 60% of large scale enterprises and 90% of mid-size enterprises would take the initiative to implement passwordless features in at least half of their use cases by the coming year.