Learn how your company can build applications to automate tasks and drive further efficiencies with low-code/no-code tools on November 9 at the virtual Low-Code/No-Code Summit. Register here.
The discussion about a passwordless future has been heated – again – considerably recently. Several major tech companies have been working on the concept for nearly 20 years. Then, in May 2022, Apple, Google and Microsoft joined forces in a highly unusual synergy to extend support for passwordless authentication systems across platforms.
Passwords don’t go away
The word “passwordless” is simple, elegant and sublime, but somewhat exotic. The truth is that a passwordless world is far from becoming a reality, if it ever will. Nobody likes passwords, but they are intrinsically linked to the backend architecture of authentication and encryption systems. This is not by trying, hard work or even dreaming. It’s just a function of how encryption schemes work. For example, smartphones and other tokenized devices are subject to theft, loss and bugs to begin with. Even with biometrics, barring surgery, it’s impossible to change your fingerprint, retina, or face after the associated data has been stolen or compromised by cybercriminals.
Password usage is growing significantly
Plus, passwords aren’t just inherent to the way modern connected devices work, those devices are now everywhere. Over the past three years, the number of IoT devices fueled by distributed work and the proliferation of cloud-based computing have led to an exponential increase in passwords.
Employees work virtually anywhere and often on unsecured networks. We all now rely on a huge range of cloud-based services. Both the public and private sectors are using more devices of different types, operating systems and authentication schemes than ever before. All this has provided a significant boost to the password. Every website, native application, system and database needs passwords at some level, even when using biometrics as a convenience factor. The fact is that robust encryption keys cannot be generated without a password. Even single sign-on solutions require a password, at some level in the architecture, to authenticate a user — before the user transacts with SAML-compliant authentication services.
Event
Top with little code/no code
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
Register here
Password security issues and human behavior are inextricably linked
Companies around the world have tried to keep up with sophisticated and forward-thinking hybrid work styles by implementing new levels of security, although the password still remains the core pillar of a security system. Cybersecurity teams struggle to keep up with the changing habits of their workforce, the proliferation of cloud-based applications, the infrastructure they need to manage and secure, and yes, the onslaught of more sophisticated cyber-attacks.
IT organizations face a pervasive and critical dilemma related to gaining visibility, security and control over the infrastructure of the entire organization. This means you have to keep an eye on every user on every device as they transact with every website, application and system in the organization – from different locations and networks. Therefore, cybersecurity solutions today require more convergence and ubiquity in terms of merging key identity and access management solutions into a single platform.
Verizon’s Data Breach Investigation Report 2022 stressed that password security issues are responsible for 80% of all data breaches worldwide. However, this is not caused by technical weaknesses, but by human failure to practice good password hygiene. Most people know what best practice looks like, like creating long and unique passwords for each individual account they have. But according to our latest Research on password habits in the workplace, nearly half (44%) of respondents admitted to using the same password for both personal and work accounts.
Educating people about the importance of strong password protection should become an essential part of digital security policies for businesses around the world. The risk of a cybersecurity breach is significantly reduced if we make cybersecurity training a formal onboarding step for all existing employees and new hires.
The future of the password
That said, the growing movement towards a future of password identification and authentication based on zero-knowledge architecture in organizations is more promising. These innovations prevent the company developing the software that protects the organization from accessing or decrypting the data.
We’ve also seen significant growth and advancements in the use of multi-factor authentication (MFA), which is extremely effective at reducing password attacks given the communication between devices with multiple users. It should be treated as a standard requirement in strengthening the security posture of any organization.
Despite this, an effective cybersecurity solution will not be driven entirely by technological muscle or money. Infrastructure and organizational complexity coupled with cybersecurity models often hinder technology-driven disintermediation. There are more than 1.1 billion websites worldwide – excluding the billions of native applications, systems and databases that require both authentication and encryption schemes. Given these metrics, consider the time and collaborative logistics it would take to achieve mass migration and adoption to a single passwordless authentication scheme that meets both authentication and encryption requirements.
Passwordless solutions do not provide a complete end-to-end solution
Kudos to the many innovators in the industry who have introduced alternative forms of authentication. Apple introduced Touch ID ten years ago and then launched Face ID in 2017. With Windows Hello to sign in to certain computing devices, Microsoft pioneered ditching front-end passwords for fingerprints and facial recognition. We will continue to see new innovations in security management, such as the use of artificial intelligence (AI) or biometric authentication.
None of these innovations destroyed the password, for the many reasons described above. The backend of any hardened system requires passwords and layered encryption keys to protect user data. Passwordless solutions do not provide a complete end-to-end identity and access management solution. Instead, they have become a positive “feature” as part of the authentication scheme, one that works especially well in two-factor authentication scenarios. Your face, finger, voice and even your DNA are ultimately a proxy for a password, which continues to play behind the scenes. Furthermore, there is a healthy discussion about how the big tech players and other OEMs can marry and create a single platform with agnostic features that work on any device and browser. And what happens if a biometric breaks or is stolen?
Pursuing a passwordless future is both positive and daring
Sure, these latest innovations are brilliant and more are on the way, but it’s just unrealistic to believe that passwords will disappear any time soon. We can remove the manual process of entering a series of numbers and letters to access everything we need. But losing passwords altogether is a myth. The best we can do is provide the utmost support for its safe use.
Darren Guccione is CEO and Co-Founder of Keeper Security.
DataDecision makers
Welcome to the VentureBeat Community!
DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.
If you want to read about the latest ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.
You might even consider contributing an article yourself!
Read more from DataDecisionMakers
