As we increasingly rely on biometric data such as fingerprints and facial recognition to secure our digital lives, many of us are reaching a point where using strings of characters such as passwords to encrypt our data will become a thing of the past - and perhaps quite soon.
Big tech seems to agree. The triumvirate of Apple, Microsoft and Google all recently signed up to FIDO2 WebAuthn, a standard created by the Fast IDentity Online Alliance (FIDO) - an industry association which aims to shift our reliance away from passwords in favor of text-free alternatives.
And according to Eve Maler, CTO at access management firm ForgeRock, passwords are no longer a viable option for the security conscious, with a number of advanced technologies looking to replace them.
Behavioral biometrics
The headline act is behavioral biometrics, which has, “a significant role to play in making passwordless security a reality”, according to Maler. These technologies, “track our physical habits such as [our] gait, height or location and login patterns to build a map of a user and their ‘normal’ behavior”.
AI then enters the equation, risk-assessing login attempts by detecting any actions out of the ordinary for the user, such as an expensive purchase. If it does, then “additional layers of verification can be requested such as a fingerprint scan or a time–sensitive authentication request”, Maler explains.
Maler believes this technology will be adopted by the mainstream in the near future, referencing the aforementioned FIDO2 WebAuthn supported by the big three tech giants. She is confident that “the improved user experience possible through this standard will encourage more businesses to embrace these technologies.”
Maler also mentioned that “FIDO is pursuing further standardization known as ‘passkeys’: multi-device credentials that enable strong passwordless authentication that works across multiple devices, browsers, and even device ecosystems.” Apple and Google have already announced that passkey integration will be coming to their respective devices later this year.
Standards and regulations
As more and more businesses are faced with ever-evolving regulations to improve their security measures, Maler believes that this inevitably means a move towards the adoption of passwordless systems. As standards change, businesses will need flexible systems to keep pace, and even “experiment with different authentication types to see what fits their company and customer needs.”
She also suggests that AI can be used in place of 2FA to help reduce “customer friction”, which can monitor customer behavior and login habits continuously and assess when additional layers of security are needed”. She believes this kind of adaptive authentication powered by AI will allow businesses to adopt any new standards that come their way, as well as eliminate the need for multi-factor requests, which she notes are increasingly being exploited by attackers.
Prepping for the future
So how do businesses prepare for passwordless systems? The answer, according to Maler, “is to enable broad-based identity and access management (IAM) with flexible identity orchestration.” She stresses the importance of the user experience, claiming that “The only way a passwordless approach will succeed is if it takes a no-compromises stance between security and user experience.”
With the right orchestration, Maler argues that businesses will be able to move flexibly between different standards as they take hold. Additionally, “no-code orchestration empowers a broader set of service implementers to create, design and configure multiple user journeys to remove friction for registration and authentication purposes.”
According to Maler, orchestration forms the bedrock of passwordless systems, as without problems will arise for users when they switch to new or different devices. However, Maler points out that this is also a problem for password-based systems, and even without orchestration, “a user can be granted new device access with a QR code, enrolled secondary device or behavioral signals”. In fact, with the advent of passkeys, credentials can be spread across multiple devices without the need for secondary enrollment.
It seems that convenience is crucial for the success of passwordless systems, as Maler believes one of the central problems with passwords is “people have so many different logins… to remember that many people will continue to reuse passwords across services”.
Passwordless systems, on the other hand, do not elicit the same “cognitive fatigue”, as she puts it.
What if the tech goes wrong?
Just like any technology, there is a potential for failures with passwordless systems, so it’s good to have fail safes in place. But if passwords are thrown out entirely, how do users access their accounts and data?
Maler suggests that there are enough passwordless alternatives available that should one not work for whatever reason, then there will be something else to use: “Alternative solutions like QR codes and secondary enrolled devices act as a safety net that allow users to log in if the primary mode of passwordless authentication doesn’t work.”
She added that the advent and further development of passkeys means that all of a user’s devices will be connected via ‘central user identity’, so if one device fails, another can be used instead. Other methods that can be used to recover accounts include “behavioral signals (e.g location, time) or emergency one-time sign-on”.
And while Maler is adamant that passwordless systems are superior, she does foresee tech companies like Apple to “continue to enable PINs for device unlocking as an alternative to facial or fingerprint recognition”, and that such PINs - and passwords, for that matter - “are safest when stored and used entirely on-device.”
Looking ahead
With alternative methods already entering mainstream use, it seems inevitable that passwords will be made redundant before long, at least to some degree. As our tech becomes evermore sophisticated and interconnected, with all of us using a vast number of login credentials for all manner of services, passwords just don’t seem fit for purpose anymore.
Even improving password practices would do little to enhance their security in the eyes of Maler. While conceding this can help to mitigate security risks, she contends that, aside from the “negative customer experience” people have with passwords, they are ripe for exploitation from phishing attacks. Maler notes that passwordless systems that meet FIDO standards are phishing-resistant when it comes to authentication.
But there are still questions that remain unanswered regarding passwordless solutions. How do we feel about our increasingly intimate biometric data being in the hands of private power? And how do we feel about AI attempting to analyze our thoughts, let alone if it can even do so accurately? Will people push back against the idea of companies having these sorts of capabilities and information about us?
We will have to see how such concerns are addressed once passwordless systems are adopted wholesale, and whether any other unforeseen issues arise regarding privacy or their effectiveness.
But regardless of what new technology we end up using to secure our digital world, Maler offers some sage and timeless advice: “As with all cybersecurity systems, passwordless is only as fool-proof as the way in which it’s implemented.”
- Check out our list of the best password recovery software
