It only took two years after their invention for the first computer password to be stolen. The year was 1962, and Allan Scherr wanted more time using MIT’s shared computer than his individual account would allow. He got what he wanted by printing out the full list of access codes, hiding his tracks by sharing the list of passwords with another student. Only later would he learn that this colleague used this new-found knowledge to leave a series of “taunting messages“ on the account of his departmental supervisor.
In so doing, Scherr set the template for the modern data breach: the theft of a password allows a malicious actor to gain unauthorised access. Alternative methods of authentication that use biometric credentials or multiple forms of identification have been developed but nothing has yet surpassed the practicality of passwords. They remain the most widely used method of authentication – and as such, are a potential security weak point.
Public reliance on passwords has only increased during the pandemic. “Employees and customers are using digital tools now more than ever and may even be required to in order to transact with the organisation during a quarantine or lockdown,” explains Alex Simons, corporate vice-president of program management at Microsoft’s Identity Division. “Most people are used to things like e-commerce transactions, but now they are renewing drivers’ licences, voting, getting a healthcare prescription, onboarding to a company, etcetera – all online.”
As a result, corporate vulnerability to cyberattacks has increased. According to a study by Nordpass, the average user must use at least 100 passwords in their daily lives – an impossible number to remember, and a burden most people circumnavigate by using the individual password across multiple accounts. In normal times, this results in IT desks at large firms spending up to half their time managing password reset requests due to data breaches or users simply forgetting their login details, resulting in an average of $5.2m in lost productivity. The pandemic has only exacerbated this situation, with the widespread use of personal devices among staff creating new avenues of attack for enterprising criminals.
Faced with such conditions, demand among employers has risen for authentication solutions that allow users to be authenticated using data that is unique to them and cannot be replicated – in other words, to rid themselves of passwords altogether. “Passwords, like fax machine machines, will probably hang around for a while,” says Simons. “But based on the momentum we’re seeing, they will rapidly become obsolete.”
That demand was laid bare in a recent blog post by Simons. Last year, use of Microsoft’s ‘Windows Hello for Business’ service leapt by more than 50%, while the percentage of consumers using the commercial version of the software to access Windows 10 devices surged to 84.7%, up from 69.4% in 2019.
“Billions of consumers already experience a passwordless world every time they sign into their Windows laptops with their smartphones,” says Simons. “Consumers want convenience and are increasingly seeking products and services that have secure features.”
Passwordless authentication, proponents argue, can now offer that security. “Technically, the hardware has gotten so much better,” explains J Wolfgang Goerlich, a cybersecurity specialist and advisory CSO for authentication provider Duo Security. He remembers a time when fingerprint scanners had to be bolted to the wall. Now, they can be found on every other mobile device. Industry protocols for biometrics have also improved in recent years, with new standards such as WebAuthen and FIDO 2 allowing biometric authentication to work across more platforms.
Even so, almost a third of IT chiefs in Europe and the Middle East remain unconvinced that the current alternatives to passwords will prove more practical to use or easier to manage than their existing authentication systems. Passwords are seen as inexpensive “because their cost is shared out across the organisation,” explains Goerlich. A passwordless system, meanwhile, introduces new concerns about variability across platforms and even users. “We see, particularly in people over 60, [that] their fingerprints don’t work as well on readers.”
In theory, I would still say passwords are more secure. There are more biometric devices that could be easily defeated than poor passwords could be guessed. Jan Krissler, cybersecurity researcher
There is a persistent worry, too, that biometric authentication is not completely secure. In 2018, researchers from Princeton and Zhejiang universities demonstrated the feasibility of hacking into voice recognition systems using ultrasonic frequencies. Just a day after Apple premiered its TouchID fingerprint sensors for the iPhone 5S in 2013, German cybersecurity researcher Jan Krissler managed to unlock the device using a fake finger. He repeated the same feat a year later when he demonstrated how a 4K resolution picture of President Vladimir Putin’s eye might fool an iris scanner, and in 2019 how a translucent fake hand might beat vein scanners.
Unsurprisingly, Krissler remains sceptical that biometrics are inherently more secure than passwords. “I think it strongly depends on the circumstances,” he says. “In theory, I would still say passwords are more secure… there are more biometric devices that could be easily defeated than poor passwords could be guessed.”
The hardware itself can also prove wanting under normal use. It’s a problem that Mark Burnett, cybersecurity researcher and author of ‘The Perfect Password’, has experienced in his own home. “My Google Home started giving me the wrong information, because my son’s voice sounds so much like mine now that he took over my account,” says Burnett. “It always thinks I’m him.”
The problem isn’t limited to voice recognition. Pressing your thumb too hard on a fingerprint scanner may confuse the sensor; a newly acquired limp can do the same to a camera analysing user gait. Biometrics also present accessibility issues. A vein scanner, for instance, is useless to someone without hands, just as visual passwords cannot be used by the blind.
Instead of a biometric system, Burnett uses a physical authentication key, a device small enough for him to carry at all times that a computer or phone can detect to confirm his identity. He acknowledges, though, that such devices present a whole new set of problems to the user.
“They wear out over time,” says Burnett. “They may have a battery that goes out. You may [try to] log into a device that doesn’t have a reader, or any way of accessing it.” One might also lose it – whereupon the provider of the security key will most likely send an SMS code to the user’s phone or an email re-granting access, both of which undermine the security of the physical key.
The best approach to authentication, Burnett contends, is to combine multiple methods. Cryptocurrency exchanges are one place where this approach has been pursued with some success (with notable exceptions), using behavioural tests to assess the probability that the user is who they say they are. This could be anything from assessing whether the user is logging in from their usual physical location and browser, to the time of day at which they present their credentials.
In effect, argues Burnett, this preserves the convenience of the password while adding a few extra, invisible layers of security. “Anyone could have your password, and could be logging in anywhere,” he says. “What you end up with is a combination of methods that work pretty well. And it’s gotten to the point where it’s pretty convenient.”
Will passwordless authentication kill the password?
This is not the first time the death of passwords has been predicted. Microsoft has been foretelling it since 2004. “We’re moving towards biometrics and smart cards,” said Bill Gates at that year’s company forum.
Even so, a great deal has changed in the field of passwordless authentication over the past two decades. For one thing, certain forms of biometric login, such as facial recognition and fingerprint scanning, have become almost ubiquitous on mobile devices. Rising user demand for such features in consumer devices has led to increased pressure on corporations to match such authentication standards in their internal services and on company devices. “The push from the consumer space is real, and is only amplified by people working from home, where most of our tech is easy to use [and is] supporting passwordless,” says Goerlich.
This trend has been accelerated by Covid-19. At first, they focused on making sure employees were productive while working from home, says Goerlich, but as the pandemic wore on IT chiefs have turned attention to making authentication easier and more effective.
“With so many people still working from home, with so many people still [using] their consumer devices, that has really reinforced the fact that there’s a big disconnect between how I work when I’m not working for the office and how I get things done when I’m at work,” he says. “That’s really pushed a lot of IT departments to become much more flexible in adopting some more authentication and adopting different devices.”
People are getting more and more critical of banks and other sites that don’t really take security seriously.
Mark Burnett, cybersecurity researcher
Burnett agrees. “The concept of using fingerprints or having your SMS code sent to your phone [has] gotten so common that people are accepting that, and people are getting more and more critical of banks and other sites that don’t really take security seriously,” he says. “It’s really interesting how many people care about that, now. There was a time where it seriously felt like I was the only one who cared.”
Among some of the more surprising converts to passwordless authentication is Jan Krissler. “I am pretty sure it will be biometrics that succeed passwords,” he says. While biometric systems are vulnerable to exploitation, Krissler explains, attacks typically target one person at a time. Password attacks, meanwhile, “could be performed against a large group.”
It is also important to remember that biometric devices have advanced significantly over the past decade, says Goerlich. Unlike older models of fingerprint sensors attached to walls, which broadcast user data to a nearby server for verification before granting access, modern scanners ensure that such data never leaves the mobile or laptop device. Continuing to enhance these features – for example, by making it standard to make access to a system contingent on normal user behaviour patterns – will prove essential in shoring up public trust in the technology.
“Some of the set-ups that I’ve seen, a criminal would have to steal your fingerprint, steal your phone, steal your laptop, log in from a region that you’re usually working at… and then start accessing applications that you normally access,” says Goerlich. “That’s a lot of complexity and a lot of hurdles for a criminal to jump through.”
Even so, the end is far from nigh for the password itself. For one thing, upgrading corporate infrastructure to support passwordless authentication remains a gargantuan task. “You’re going to have this really long tail, which could go on [for] years, if not decades, of legacy systems that we’re going to continue to maintain, and we’re going to continue to maintain because they still provide business value,” says Goerlich.
For all its flaws, adds Burnett, the password will also still have inherent value as a back-up to biometric authentication. Anyone who believes in their ultimate demise in the next few years is being naïve. “Passwords will never go away,” he says. “You do have to have some fallback, somewhere. But I wouldn’t be surprised if, in 2030, we still had a lot of the same problem we have now.”