By Simeon Tassev, QSA & MD at Galix

Passwords are inherently problematic and are the weakest link in many security chains. People forget them, or do not set them to be strong enough; they reuse the same password for multiple accounts, they write them down, and generally engage in behaviour that could compromise security. They are also difficult to manage, requiring a lot of money and manpower to maintain. Passwordless authentication is thus a seemingly attractive option, but can we really do away with the password? 

The problem with the password

As the journey to digital transformation continues, users have become overwhelmed by passwords, for everything from using their devices to accessing systems and even using the Internet. Working from home as a result of the pandemic has only exacerbated this problem, and the more passwords people are forced to use, the less secure they become. It is all but impossible to remember every password, especially if they are not used frequently, or if they need to be reset often, which is a common security practice. 

Different authentication factors

Managing passwords is a multi-billion dollar industry – in fact, password reset requests typically make up the bulk of IT help desk support tickets. Users lose productivity waiting for passwords to be reset, and support costs for business skyrocket. As a result, the idea of passwordless authentication has become more appealing. 

Instead of a password, other factors that uniquely identify a user can be utilised instead. These may be possession factors, in other words an object like a One-Time Pin (OTP), a registered secondary device like a mobile phone or a secure token. It is also possible to use inherent factors like biometrics as identifiers. 

The benefits of doing away with passwords

From a business perspective, using authentication factors other than a password, can cut costs dramatically. Not only will users be more productive if they are spending less time resetting passwords, IT staff will spend less time on these requests and will be able to spend more time on activities that add value. The user experience will also be improved, because users will no longer be expected to memorise endless streams of passwords and security control questions, which streamlines the authentication process. 

Security will also be improved if the password, already notorious for being a vulnerability in the security posture, can be removed from the equation. Passwords, particularly those set by users, are easily compromised at the best of times, and are often the easiest way for malicious actors to gain access to corporate networks. The element of human error is removed from the security equation, which improves control and visibility for IT. 

The reason we still need passwords

As beneficial as a passwordless environment would be, it is unfortunately incredibly difficult to actually implement effectively. While other authentication factors can (and arguably should) be used, at some point there needs to be a failsafe. Biometric systems may suffer from a hardware failure, OTP systems may be down for whatever reason, and there always needs to be a back door – the password – in case something goes wrong.  While the existence of the password is still a necessity, it also remains a system vulnerability. 

Not passwordless, but less passwords

Brute force attacks focus on compromising the weakest passwords, which is where the current issue comes in. The goal then should be to reduce the number of passwords in use, and improve the quality of the passwords that remain necessary through better management and policies. While passwords can never be made unbreakable, they can be made so complex that they would take too long to decrypt, and they can be changed frequently so that even if they are decrypted, they expire before that occurs. 

So, is it possible to get rid of the password? The answer is unfortunately not. The future is not passwordless, but aiming for the goal of less passwords may be an achievable aim.