"Passwords are a pain in the neck for end-users and IT departments alike. Not only do they cause friction for employees, they are a prime target for social engineering and phishing attacks. The good news is that we are moving closer to a world where passwords will no longer be required, even for initial authentication or backup." Justine Louw, General manager: Microsoft, Tarsus Distribution
The problems with passwords are numerous
No one likes needing to remember a long string of numbers, characters and letters each time they log in—especially when they must change passwords every three months or use multiple passwords to access different services. Users may resort to writing the password down to ensure they remember it, causing an inherent security risk.
Or they might use details a hacker could easily guess like the name of a pet or their spouse. If they forget their password, retrieval of the account can be a nuisance for them or the IT department. Clever social engineering attacks and weak passwords mean that they’re often not as secure as they seem. According to Microsoft, there are 579 password attacks every second—that’s 18 billion every year.
Many of the solutions used to address these password challenges have issues of their own. Multifactor authentication, for instance, adds extra layers of protection, but inconveniences the end-user further. Password managers can streamline the service, but are hard to manage at scale in an enterprise. They keep all of the user’s sensitive data in one place. The risks of a breach or lost password are thus higher.
Passwordless was even more inconvenient—until now
The passwordless concept isn’t new, but early attempts at passwordless solutions were perhaps even more annoying than passwords. Entering a long string of letters and numbers received by SMS or email is cumbersome. And solutions such as smartcards or hardware tokens can cause headaches and security risks if lost or stolen.
However, we are starting to see the likes of Microsoft come up with smarter alternatives. You can already remove passwords from your Microsoft account and choose to authenticate yourself with whichever method works best for you—the Microsoft Authenticator app, biometric sign-on via Windows Hello, a security key, or a verification code sent to your phone or email.
Other companies are making rapid advances with biometric authentication using device built-in fingerprint scanners, face scanners, or retinal scanners to seamlessly authenticate a user. These authentication methods can completely eliminate the need for usernames and passwords—at once improving security and reducing potential attack surfaces.
Passwords can’t be eliminated everywhere—yet
Gartner notes that it’s not possible to completely eliminate passwords from legacy implementations. The analyst firm recommends that organisations prioritise assessing and implementing more robust passwordless authentication methods to improve security and user experience. To reduce friction, where it’s not possible to go passwordless, companies can use single sign-on and password managers.