We're not saying it was you, but we've all known someone who kept a sticky note with their passwords next to their keyboard. The password note was the go-to low-tech way to manage multiple passwords and other authentication credentials before the days of password managers like 1Password and LastPass.
We might cringe at the idea today, but it was a simple (and often mocked) solution for the growing number of login credentials that consumers and business users created for new platforms and services.
Passwords have been part of computer and mobile phone use for years, but their time is coming to an end soon. The rise of cybercrimes, including phishing and ransomware attacks, has expanded the cracks in traditional authentication systems and spurred the adoption of a new way to log in — passwordless.
Passwordless is the industry's answer to the fact that traditional alphanumeric passwords have always had their challenges. Passwords are challenging for people to use securely, hence the sticky note of passwords.
On the other side of the screen, cybercriminals have gotten better at cracking passwords—putting personal and business data at risk. According to CNET, there were 1,862 data breaches in 2021, a 68 percent increase from the previous year.
Does passwordless replace two and multi-factor authentication?
The quick answer is no. The security industry has developed passwordless to authenticate people's identities better. It replaces passwords with secure identifiers that are easier for users to use securely.
These identifiers are things like email links, biometrics, and physical security tokens. You might use email links already if your organization uses Slack. Many of our clients use physical security tokens to confirm identity for login.
Software companies and hardware manufacturers are essentially removing passwords as an option for multi-factor authentication.
What other factors can people use?
Passwordless doesn't abandon the principles of multi-factor. Instead, it replaces passwords with alternative, more secure factors to have at least two to prove a user's identity. The factors in multi-factor authentication are broken into three groups.
Something you know
Passwords are an example of something you know. You had the information (hopefully not on a sticky note), and you could prove you had it. Security questions like your mother's maiden name, your first school, or the town you are your partner met are also examples of security factors you would know.
Something you have
Physical security tokens and time-sensitive keys are examples of security factors you have. You most likely have used this factor with two-factor authentication for email or financial services. A service generates a unique QR code that you use with an app like Google Authenticator to generate a time-sensitive key that expires every minute.
Something you are
Unlocking an Android device with your fingerprint or face with Face ID on an iPhone are two examples of biometric factors for authentication. Some enterprises use biometric factors for authentication of internal systems too.
What makes passwordless a better option?
Passwordless authentication moves away from those pieces of information that are easily phished or guessed. Many of these pieces of information — the first car we owned or where we went to school — are often found on our social media pages.
The problem with passwords has always been that, as humans, we need to be able to remember them. If those passwords aren't complex or hard to guess, they're vulnerable to cybercriminals.
Does this mean password managers are obsolete too?
Not yet. Their primary purpose beyond storing passwords is to generate secure passwords for services that will continue to use passwords for multi-factor authentication. These services also monitor for the strength of your existing passwords, check for duplication across services, and to see if your login credentials appear in any data breaches or on the dark web.
Earlier this month, Apple, Google, and Microsoft announced that they'd joined the FIDO Alliance to provide a standard passwordless login system on their devices and through their login system, including Apple ID and Google Sign-In. But that change is still years away from being available on all the major apps and services we use daily.
How does passwordless work in Zero Trust environments?
Zero Trust means you're authenticating every user, every device, and every service the user is accessing with that device. If you're authenticating everyone everywhere, your authentication needs to be fast and easy. Remembering multiple passwords for different areas can be complex and cumbersome.
That's where other secure authentication factors come in, like biometrics and physical tokens. If you can use those as one of your factors, it verifies who you are so you get access to the resources you need while still keeping true to Zero Trust principles.
As trusted partners in development, our team works with our clients to ensure they're up-to-date with the latest security patches and protocols to keep their data — and their customers — secure. Get in contact with us to learn more about how we can help your organization.