Executive Summary
- No matter how secure a password might be, it is still not 100% secure, which is why we already combine passwords with two- or multi-factor authentication.
- With so many additional options for passwordless authentication in the modern world – from biometrics to FIDO – we wonder whether it’s time for the world to stop relying on passwords.
- In this article, we’re imagining a world where passwords have become obsolete. Here are the alternatives which, in most cases, are far more secure than passwords ever were.
Introduction
Cyber security has evolved leaps and bounds in the last decade or two.
Consider the smartphone in your pocket: a simple glance and it unlocks without the need for a password – and with reliable biometric security.
Within all of this evolution, however, one thing remains stubbornly constant: the need to use a password. Funnily enough, we’ve always known that passwords weren’t a reliable long-term solution – Bill Gates himself predicted their demise back in 2004 – but we’ve still not made the leap to passwordless authentication.
So, with one foot in a world without passwords, let’s imagine what might happen when we dive in entirely.
Why passwords just aren’t enough anymore
Did you know that the first computer system to use a password was the Compatible Time-Sharing System (CTSS), an operating system from 1961.
Of course, a lot has changed in the past 60 years, but the password is still in common use. The reason is mainly to do with the popularity of online services, which require a means to verify a user without them being physically presence.
But it’s this popularity which also leads to some of the security risks involved with password use. Why? Because, with so many different services to log into, people will naturally become overwhelmed and eventually start to reuse passwords or simply use passwords which are easier to remember.
This isn’t the individual’s fault; it’s basic human nature. So, what can we do to resolve this and make passwords either obsolete or at least less common?
Passwordless alternatives – 3 options for businesses
So, it’s clear that passwords have their days numbered, but is the technology to replace them ready for prime time? Well, there’s no lack of options, that’s for sure; it’s simply a matter of adoption.
Here are 3 passwordless options – or at least methods to reduce your company’s reliance on passwords – that you might want to try in your organisation.
“Magic Links”
The concept of the “magic link” has risen in popularity over recent years, and while it is technically a passwordless solution, it basically just relies on another form of third-party verification.
That’s because the magic link is sent to your email inbox on the assumption that only you have access to it. Whether it’s protected by MFA or some other means of authentication doesn’t matter, because magic links effectively pass on the authentication to your email provider.
For the app or service using magic links, this is a bit of an easy win; but be sure your email security is up to snuff before relying on them.
Biometric authentication
Biometric authentication might sound like a high-tech term, but it’s really as simple as unlocking the phone in your pocket.
Whether it’s a fingerprint sensor or a facial scan like Apple’s Face ID or Windows Hello, biometric authentication technologies are so secure that they can be used without the need for a password.
Biometric authentication is not a silver bullet, of course. As in the case of Apple’s FaceID technology, such measures are usually supported by a (very) occasional password or PIN confirmation for verification.
But, as a day-to-day passwordless solution, biometrics in consumer electronics are a solid step in the right direction.
FIDO2 security keys
Earlier we mentioned the concept of “something you have”, and now we’re revisiting the idea with the FIDO2 security key.
FIDO, or Fast IDentity Online, was created by an alliance of organisations which aim to reduce the reliance on passwords across the world. FIDO2 security keys themselves are physical objects that can take any form, but are most commonly USB or Bluetooth devices.
They take advantage of cryptographic technology so that your ‘private keys’ (i.e. the technical wizadry which identifies you) stay on the device at all times. When you use a FIDO2 to unlock a computer or log into an online service, a pair of keys (both public and private) are created so that only that key can unlock the account.
With a FIDO2 key, logging in and authenticating your identity is as simple as inserting a USB stick and getting on with your day. No passwords or memory tests required.
A note on Multi-Factor Authentication
We’ve covered Multi-Factor Authentication, or MFA, a few times on the Get Support blog, and it makes sense to mention it here when talking about passwordless solutions.
The key point to cover here is that MFA is not technically an alternative to passwords, but it can still be used without one. Essentially, MFA relies on one of three things:
- Something you know (e.g. a password or PIN)
- Something you have (e.g. your mobile phone or physical token)
- Something you are (e.g. a fingerprint or facial biometric scan)
For MFA to work, you just need any two out of these three, meaning you can easily go passwordless.
If you’re using Microsoft 365 to support your business, for example, you might want to consider passwordless authentication for Azure Active Directory. With this enabled, users can use a biometric scan (e.g. Face ID) plus the Microsoft Authenticator App with their iOS or Android device to create a fully MFA-compliant authentication system without using any passwords at all.
While you wait: How to use passwords securely today
As you’ll already know, we’re not quite ready to fully immerse ourselves in the passwordless world. No matter how hard you try, even if you go fully passwordless with tools like Windows Hello in your own business, you’ll still need to use passwords in some places.
For this reason, you should at least ensure you’re abiding by password best practices. One way to do that is with a Password Manager, which will automatically apply the most rigorous standards to your passwords and protect them with a single master password. In addition, it’s a good idea to follow the guidance of the National Cyber Security Centre on how to construct secure passwords.
Get ready for the passwordless future with Get Support
At Get Support, our aim is always to deliver the safest, most secure experience for our clients. That means that, as soon as new technologies to improve cybersecurity are available, we’ll dig into the detail to see how they could help the businesses we work with.
So, whether you’re already moving towards a passwordless setup, or you simply want to stay up to date with the latest developments in cyber security for your organisation, working with us is a great place to start.
To learn more about our growing range of IT support solutions, call us today on 01865 594 000 or just drop your details into the form below.