In the future, we will not use passwords; that is the inevitable conclusion. It is difficult to imagine what the world would look like without passwords. Eventually, we will have to get used to it.
It is observable that the password-less standards are being established more firmly, and the password-less authentication methods continue to grow in quantity and sophistication.
It is important to remember that we are already prepared to be a part of that destiny, but there is more to the password-less world than just the standards and authentication methods.
What is the challenge then?
There are also some challenges to overcome. For example:
- How can we proof our identity in order to sign up with our credentials in a world that doesn’t use passwords?
- How can we recover lost credentials?
Probably one of the most important things to know is how to go about these challenges without recreating any of the problems that endangered the passwords in the first place, as well as the trouble for the user, the load for the help desk and the costs associated to recovering passwords.
We must keep an eye on not just replacing password recovery with other different methods, but just as burdensome. It still to early in the game to know precisely how we would go over all these issue in a significant manner yet is not too early to start exploring.
Let’s dive in.
What does identity mean in a password-less world?
The main challenge in password-less authentication is to establish a digital identity, something that can proof users are who they say they are and that also works as a base to trust their identity wherever the users go in the digital world. We can see a similar process with a passport or a driver’s license in the physical world, which are not password-based.
Off course, there are authentication methods available that reduce the need for a user to use a password at the authentication moment: biometrics (facial recognition and fingerprint identification), token-base authentication and such. However, passwords are still being used as an underlying authentication method. If the whole point is to avoid using passwords, what are some safe ways that a user can proof its identity to obtain that password-less credential in the first place?
We need to continue working on the development of new methods to establish the initial trespassing that will give the user a safe, 100% password-less credential.
What happens when a user needs to recover their credentials?
When talking about biometrics, tokens and other password-less authentication methods we are using now, we often don’t think about the fact that passwords are still the underlying mechanism for both user’s authentication as well as credential recovery.
Once, I lost my phone getting off of an airplane not so long ago, I was devastated and concerned when I realized that all that was needed to my very advanced face biometrics for all applications and accounts associated with that device was – you guessed it – a combination of username and password.
In that case, wouldn’t anyone with my username and password be able to user their own face as biometrics to have access to my accounts? Off course they would.
The point is that any form of strong authentication nowadays is, in final consensus, a façade for a password. This means that this method is not stronger or safer than the underlying password.
We think something is “password-less”, when it really is not; It is a system that is based on something that is easy to steal and impersonate. If you don’t remember your username and password, the recovery mechanism is really easy to violate by anyone who knows your mother’s maiden name (on that “private” website about the family history that your cousin manages) or the year make and model of your first car (a picture that you posted proudly on social media).
Let’s be real: In almost all cases in regard to digital identity, there seems to be a group of credential recovery mechanisms that are weaker than the authentication method itself.
Scenario #1: You lost your phone that has face ID capabilities? No problem. Just enter your password. Can’t remember it? Just enter your mother’s maiden name and we will give you a new one.
Scenario #2: You lost your hardware token? No problem: just provide use with your username and password for Active Directory and we will send you another email.
If authentication in a password-less world is going to be as safe as everyone wants it to be, we will have to revert that pattern and make recovery mechanisms safer than the authentication method itself. Sometimes a hardware token can work as a recovery mechanism for a mobile authenticator. For example, in a situation like this: You lost your phone? Please use your hardware token to authenticate.
The questions we asked here are all about one topic in particular: the importance of awareness. Assuming password-less standards and authentication are all we need to create a password-less world is a mistake, since it surpasses the fact that even in those areas, most organizations have a lot of work to do.
It is exciting to think about the existing and emerging solutions that are carving the path towards that world, yet it’s also necessary to be aware of the breaches and obstacles to overcome. In that case, knowing the challenge we face and know how to overcome them would be the first steps to a password-less world.
Thank you for reading! We hope you liked it.
Share this post on your social media and leave a comment below with your thoughts on this blog.
If you want to see more from where this came from, subscribe to our newsletter.
See you next time!