The Future of Passwords

Passwords are the most common form of authentication on the Internet. Today, the average user has 90 different accounts that require usernames and passwords, making it improbable that the average consumer will effectively remember all of their passwords for each of their accounts. All too often we choose predictable passwords and pins and reuse the same password for multiple accounts. Cyber criminals and thieves will often engage in credential stuffing to use compromised username and password combinations to breach other accounts associated with their victims.

While there has been a trend towards businesses offering two-factor SMS-based authentication, this process is also not not entirely secure. It is becoming increasingly common for cyber criminals to hijack a victim’s mobile phone number and intercept the password reset link.

The proliferation of knowledge-based authentication requiring users to answer questions to verify their identity is also compromised by the plethora of publicly available personal information posted on social media or in public records. While we can change our passwords, we cannot change other details of our lives in the event of a security breach, such as our mothers’ maiden names or the city where we were born. 

Overall, passwords are a weak form of authentication that places the onus for cybersecurity on users; passwords can be phished, cracked with password-generating tools, and stolen, among other challenges. Overall, compromised passwords are responsible for 81% of major data breaches. While hackers and cyber criminals are becoming increasingly sophisticated, improvements to authentication have been comparatively stagnant. Simply put, password authentication is not adequately protecting us. 

Fortunately, an alternative to password authentication has been making its way into the mainstream market. Passwordless authentication encompasses various methods of authentication other than the use of passwords, such as biometrics, email or SMS-based, token generators, or through hardware devices. Passwordless authentication holds the promise of better cybersecurity and identity protection. A recent study found that many consumers prefer passwordless multifactor authentication processes, which can yield higher login success rate and a more convenient login experience.

There are, however, serious privacy and security concerns with these authentication methods. For example, Apple’s biometric authentication has been criticized for privacy concerns and lack of security and reliability. Another example is Web Authentication, or WebAuthn, a credential management API that would permit authentication through hardware devices and eliminate the need to verify identities through passwords. However, researchers pointed out that the algorithms associated with WebAuthn are vulnerable to cryptographic attacks. 

As cybersecurity costs and the damage caused by data breaches continue to soar, passwordless authentication provides perhaps a better, although not entirely secure, opportunity for businesses and entrepreneurs to contribute to authentication innovation in the ever-evolving security landscape.