Passwords are much-maligned as being the weakest link in any company’s security defences, and for good reason. It’s a fact that password reuse, a lack of strong passwords, a failure to change them on a regular basis and other human errors plague the efficacy of this de facto standard for authentication. And that, in turn, has spurred start-ups, established security companies, industry coalitions and government agencies to work on concepts for moving beyond it. But the state of play for these efforts is still immature in terms of adoption.
The stakes are of course high. Nearly all data breaches start with compromised passwords. These are harvested via sophisticated phishing, brute force attacks, social engineering, malware exfiltration and more – yet, the password remains the first, and sometimes only, line of defence against cyber attacks.
Alternatives to passwords
Alternatives to passwords include biometrics (like Apple’s FaceID function), social media authentication (like “Log In with Facebook“), and more unusual ideas like two-tap authentication, where a browser-based button opens an email link to verify a person’s identity.
“The login experience is continually changing based on user demand and the need to protect against today’s sophisticated cyber criminal landscape,” said Martin Gontovnikas, vice president of marketing and growth at Auth0. “Passwordless [approaches are] a signal of the kind of industry change we are all heading toward.”
Doomed to fail
At least one security researcher, however, has declared that efforts to kill the password are set up to fail from the get-go, because alternate authentication systems have a fundamental usability problem: They require the user to learn how to do something different from what they’re used to.
“The one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone,” said Troy Hunt, creator of HaveIBeenPwned, in a recent blog. He added, “As soon as you ask people to start doing something they’re not familiar with, the risk of them simply not going through with it amplifies and defeats the whole point of having the service in the first place.”