Why Tech Companies are Pushing Towards a Passwordless Future?
Last week when I logged into my computer and tried to log in to one of the websites, I got the notification from Chrome that they believe my credentials for certain websites may have been exposed as part of a data breach (please note that this is not a data breach at Google). So, I went to the password manager and saw that Google recommended me to change more than 70 passwords, some of which I did and some of which I didn’t care enough to change, and of course, over the next few days, I had to do the whole “forgot password” charade at some of the websites where I changed the password but didn’t remember.
I have always hated how inconvenient it is to keep remembering the passwords for all the websites, especially when I don’t have my laptop and I have to log in from my phone or some other medium.
As I started to research more, it made more and more sense to me as to why the big tech companies are pushing towards a passwordless future. The big enterprises have a lot to lose with even the smallest data breach.
Why it makes sense for enterprises to go passwordless?
An average office worker in the US has to keep track of 20–40 different username and passwords combinations and of course whenever they forget their passwords, especially after a few days off or a vacation, they call the help desk to reset the password and it may cost anywhere between $40-$50 per call to the company (Forrester, 2019).
Merritt Maxim, VP, and Research director at Forrester said in an interview that “A typical employee contacts a help desk somewhere between 6 and 10 times a year on password-related issues,”. If you multiply this with the average cost of $50 per call, you are potentially talking about hundreds of thousands of dollars or even millions of dollars in cost just to reset the password. And, this doesn’t even include the loss of productivity from the employees who are spending time on the phone with the help desk to reset their passwords.
Then there are the data breach costs. A report by Verizon looked at over 2000 confirmed data breaches and found out that 29% of those breaches were due to stolen credentials. A study by IBM security found that the average cost of a single data breach in the US is more than $8 million which is huge.
And, finally, there is the inconvenience of remembering passwords. Some organizations require their employees to change their passwords every month or every quarter and most of the time, to help them remember the passwords, the employees may just add an extra digit to the password or write them on a sticky note or on their phone which makes it more vulnerable for hacking and needless to say that if a hacker can get into the company’s internal systems, it can wreak havoc on the business and may spill some well-protected sources of competitive advantages for the company.
Overall, it makes a lot of sense from a financial as well as the security point of view for enterprises to think seriously about a passwordless future.
Unless you have been living under a rock for the past few years, you must have encountered some form of multi-factor authentication method. With innovations such as fingerprint scanning, facial recognition on your smartphones, verifying your identity is no longer just about entering the password. Here is how multi-factor authentication works.
There are three forms of authentication:
· Something you know — such as a password or a pin code;
· Something you possess — such as a fob chain, an ATM card, etc.;
· Something you are — such as your biometric;
Only using the password for authentication is the riskiest way of authenticating and is the easiest way to lead to phishing and cause data breaches. Two-factor authentication can be a combination of any two of the above three forms of authentication. However, it is important to note that not all two forms of authentications are built equally. For example, getting a text message on your phone, popular as one-time passwords (OTP) can be spoofed easily and not a foolproof way of second-factor authentication and is also inconvenient. In fact, the National Institute of Standards and Technology (NIST) restricted the use of OTP as a means of two-factor authentication but defined it as two-step authentication. Basically, a two-step authentication would be two steps under the same category of authentication. It can be your password plus a challenge questions both of which would fall under the “Something you know” category and therefore cannot be considered two-factor authentication. The simplest example of two-factor authentication is an ATM withdrawal machine. It requires an ATM card (something you possess) and also a pin-code (something you know).
Without a doubt, both a two factor or two-step authentication is more secure than just using the passwords but using the password will always be vulnerable and inconvenient for people using it and with the rapid rise in technology, the use of biometrics as a form of authentication has risen immensely in popularity, especially after Apple introduced the fingerprint readers in 2013 in its iPhone 5S. And nowadays, thanks to digital assistants like Google Home and Alexa, voice recognition is also becoming a popular form of authentication that some of the banks have already incorporated to verify their customers and this trend will continue to change with a plethora of IoT devices now becoming a part of an average household.
The FIDO Alliance
Fast Identity Online (FIDO) is a consortium of more than 250 companies that are working together to reduce the industry’s vulnerabilities and dependence on passwords and FIDO has been at the forefront of bringing two-factor authentication standards to the general mass and enterprises alike. In 2019, FIDO became a core part of the Android and Windows operating systems.
FIDO has a big advantage over other standards — it stores the data and credentials is on a local device which makes it easier to store and protect your privacy whereas currently our passwords are stored on a server which makes them susceptible to being hacked and exposed. With all the concerns over privacy in the past couple of years, it is important that these companies use local-matched biometrics (or match-on-device) which is exactly what FIDO supports.
Microsoft has been at the forefront of this push towards a vision towards a passwordless future. Microsoft started to work with FIDO a few years ago to adopt the standard and reduce its use of passwords. Microsoft’s first move to reduce the dependence on password was introduced with Windows Hello, introduced in Windows 10, which used biometric sensors to verify a user’s identity based on a face scan or fingerprint. Its Authenticator app allows users to log in to their Microsoft account on their desktop using their phone.
Microsoft has a four-step strategy for killing the passwords — Developing alternatives for password replacements, reducing the users’ visible password surface area, simulating a passwordless world, and finally eliminating the passwords from the identity directory.
Apple has been slower to adopt the FIDO2 standard on all its devices but it supports FIDO standards on its Mac OS and iPhone OS and encourages the app developers on the Apple store to develop a biometric login where possible and to have the password and username login only in case of a backup.
The biggest challenge in implementing a passwordless future is that the traditional way of logging in using a username and a password is ingrained in our mind for several decades and it would require a fundamental shift in how we think about privacy and tech companies in order to get rid of the passwords.
A lot of people I have talked to would prefer not to share their biometrics with tech companies for fear of not knowing what will be done with their data. The tech community has been under a lot of pressure from regulations and privacy-related issues over the past few years and I don’t blame people to be a little skeptical and a bit hesitant in sharing their fingerprints. However, standards like FIDO may help ease some of these worries by storing the biometric data locally but people still need to be made aware of how their privacy will be maintained when they use their biometrics to log in to a device.
I think the big tech companies have made a lot of strides in getting closer to the vision of the passwordless future, but we are still a few years away from the world where passwords are a thing of the past. The good news is that tech companies like Microsoft, Apple, and Google, because of their huge presence in the tech ecosystem are in the best position to implement the adoption of a passwordless future which in my opinion will work better for both businesses and users alike.