Passwords: The End Is Coming
Passwords fade as advanced authentication methods rise.
Valentin Vasilyev, CTO at Fingerprint, forecasts the slow end of passwords and explores advanced authentication methods to enhance virtual security amid rising cyber threats in 2024.
Passwords are on their way out, but their exit will be slow. Many emerging authentication methods provide more security. Fingerprint Co-founder and CTO Valentin Vasilyev explains the approaches that make passwords obsolete.
New login authentication methods are entering the mainstream and beginning to push out the ubiquitous password. The demise of passwords will dramatically improve our virtual security. These codes have long been the gold standard for identity verification, but the proliferation of online accounts and growing hacker sophistication have weakened an already feeble security measure.
Technology advancements bring new, more robust account protection tools. Many of them are easier to use. While the complete transition from passwords will be sluggish, businesses must now invest in advanced digital security.
The Problem With Passwords
Passwords have been around for millennia. Ancient Roman soldiers used them to identify comrades, and Americans used them to access speakeasies during prohibition. A Massachusetts Institute of Technology (MIT) researcher deployed the first computer password in the early 1960s. The first breach happened almost immediately after a graduate student printed a list of passwords to extend his allotted computer time.
As the MIT situation quickly demonstrated, passwords are not impenetrable. The root problem lies in human nature and technical limitations. The average person has 22 accounts. Combining and remembering nearly two dozen unique, complex passwords is almost impossible. As a result, many people use the same password for multiple accounts.
To remember so many logins, people resort to something simple, like pet names or the infamous “password123.” But these are easy to guess. And even slight variations are susceptible to credential stuffing. Phishing and social engineering pose an additional risk. Bad actors create legitimate-looking websites, texts, or emails to trick people into unknowingly sharing their data. Once a fraudster has one password, they can easily access the rest of someone’s accounts.
The password’s creator admitted the idea’s flaws in a 2014 interview, telling the Wall Street Journal, “Unfortunately, it’s become a nightmare with the World Wide Web. I don’t think anybody can remember all the passwords that are issued or set up. Either maintain a crib sheet or a mild no-no or use a program as a password manager. I have to confess, I used to use a crib sheet.”
Automation, generative AI, and the availability of cheap cloud computing resources further damage the security of passwords. Bots enable credential stuffing, allowing hackers to test stolen passwords on a large scale. Automation also executes brute force attacks, testing hundreds of password combinations. Meanwhile, GenAI can produce more convincing phishing attacks that could fool even the most informed individual.
In light of these developments, organizations must bolster their login security.
See More: MFA Is Not Enough: Eliminate Passwords to Simplify the Security Stack
Additional Security Layers
Businesses can add additional security on top of passwords using several strategies.
1. CAPTCHA: A completely Automated Public Turing test to tell Computers and Humans Apart, better known as CAPTCHA, is designed to distinguish human users from bots. However, these are becoming less effective as bots get smarter. Some can now solve the puzzles faster than humans.
2. Multi-factor and two-factor authentication (MFA and 2FA): This strategy involves adding a second authentication. Typically, an MFA requires two of three factors:
- Something you know, like a password or PIN.
- Something you have, like a device or authentication token.
- Something you are, like fingerprints or other biometric data.
Once users enter their password, the system requires another factor from the other categories to verify their identity. This could come in the form of:
- A text or email code.
- A magic link in an email.
- A fingerprint or facial scan.
- A security token from a physical device that generates a code.
The method protects against stolen credentials. Even if someone possesses or guesses a login, it will take much work to authenticate themselves.
Most websites already use this strategy. Some regulations, such as the EU Payment Services Directive (PSD2), require MFA.
Single sign-on (SSO): This approach allows users to access multiple applications with the same credentials. That doesn’t mean using the same password for everything. Rather, users can authenticate themselves once and access all connected, authorized accounts seamlessly.
When a user enters the credentials in a central system, known as an identity provider (IdP), the system issues an authentication token to the user’s browser or device. Authorized applications simply verify the token rather than requiring a username or password. Enterprises often use SSO to provide secure access to internal applications. Google and Facebook are common IdPs available to everyone.
SSO is an improvement to only passwords. It’s easier to remember one password and IdPs’ security measures can detect suspicious activity, which triggers a second-factor authentication request. Convenience is another benefit. Users can quickly and easily log in while maintaining high security.
Passwordless Authentication
While the second factor in MFA is a form of passwordless authentication, MFA itself is not passwordless because the first step requires credentials. Passwordless authentication neither implements nor replaces MFA, but the two can be combined for the greatest possible security.
There are several options for passwordless login methods.
- One-Time Passwords (OTP): This strategy automatically creates a password when a user attempts to log in. The system delivers the code via an email, text, or authenticator app. The password is only valid for one session and a limited time.
- Magic Links: Users enter their email address or phone number instead of a username and password. They receive a link that verifies their identity and logs them in.
- Biometrics: Biometric authentication uses fingerprints or facial recognition. Users like this approach because it’s easy to use and hard to spoof. A PYMNTS study found that more than half of online buyers employ biometric authentication. However, it is hardware- and platform-dependent.
- Push Notifications: This strategy sends a push notification to a dedicated companion app. The user taps the message to log in. This method verifies that the user is logging in from known hardware.
The Life Expectancy Of The Password
The password is not dead yet. Despite its flaws, there are several hurdles to adopting more secure methods.
For businesses, it means investing in new technology and hardware. These systems are more complex and costly than conventional password-based approaches. Many legacy companies have competing business priorities, and login security may not top the list, leading them to delay implementation. But in the end, enhanced security and streamlined processes offset the initial development costs.
Additionally, people don’t like change, and some may not be aware of the risks related to passwords. As a result, many will be reluctant to adopt alternatives that seem less convenient or unnecessary. Businesses must make their passwordless flows as frictionless as possible to encourage adoption. Device intelligence solutions will make these security measures more feasible and palatable for users by accurately recognizing returning users.
Will we see the end of passwords in 2024? No. But the movement has started — many big tech companies are already going passwordless. Organizations must implement more secure login methods to protect themselves and their customers from online threats.
How can advanced authentication methods reshape password protection strategies in 2024? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON PASSWORD SECURITY
