There’s More to a Passwordless Future than Adopting Standards and Choosing Authentication Methods
The future is passwordless: That’s the inevitable conclusion I think more and more people are reaching as we watch passwordless standards become more firmly established and passwordless authentication methods grow in number and sophistication. It’s important to remember, as we stand poised to enter this future, that there is more to the passwordless world than standards and authentication methods. There are also challenges to consider. For example, how do you prove identity for credentials enrollment in a world that doesn’t use passwords? And how do you recover lost credentials? Perhaps one of the most important considerations is how to address these challenges without recreating some of the very issues that doomed passwords in the first place – like the user inconvenience, help desk burden and costs associated with password resets. We must be vigilant not to simply end up replacing password resets with different, but equally onerous, methods. It’s still too early in the game to know precisely how we’ll address all these issues in a meaningful way. But it’s not too early to start exploring. Let’s dive in.
What Does it Mean to Define Identity in a Passwordless World?
The principal challenge in passwordless authentication is establishing a digital identity – something that proves users are who they say they are and serves as a basis for trust in identity wherever users go in the digital world, much as a passport or a driver’s license does in the physical world, that doesn’t rely on passwords. There are, of course, authentication methods available that eliminate the need for a user to present a password at authentication time – biometrics (facial recognition and fingerprint ID, for example), token-based authentication and others. But passwords continue to be used as the underlying authentication method for many of these methods. If the idea is to eliminate passwords, then by what secure means does a user prove identity in order to get that passwordless credential in the first place? We need to continue to work on developing new methods to establish the initial trust that will grant a user a secure and truly passwordless credential.
What Happens when a User Needs to Recover Credentials?
When we talk about biometrics, tokens and other passwordless authentication methods in use today, we often don’t give much thought to the fact that passwords still continue to serve as the underlying mechanism for both user authentication and credential recovery. When I lost my phone on a plane not long ago, I was both bemused and dismayed to realize that all I needed to reestablish my incredibly advanced facial biometric credential for all the apps and accounts associated with that device was – wait for it – a combination of username and password. In that case, couldn’t anyone who got their hands on my username and password just use their own face as the biometric to gain access to my account? Of course they could. The point is that any form of strong authentication today is ultimately just a façade for a password – and therefore not really any stronger or safer than the password underlying the method. What we think of as “passwordless” really isn’t; it’s a system still rooted in something that’s pretty easy to steal and use to impersonate you. And if you don’t remember your username and password, the recovery mechanism is also easy to breach by just about anyone who can track down your mother’s maiden name (on that “private” family history website your cousin runs) or the model of your first car (a picture of which you proudly posted on social media).
Let’s face it: In just about every case of digital identity, there seems to be a set of credential recovery mechanisms that are weaker than the authentication method itself. Lose your phone with the facial recognition feature? No problem, just type in your password. Can’t remember it? Just tell us your mother’s maiden name and we’ll give you a new one. Lose your hardware token? No problem, just provide your Active Directory username and password and we’ll mail you another. If authentication in a passwordless world is going to be as secure as everyone wants it to be, we have to reverse this pattern and make the recovery mechanisms more secure than the authentication method itself. Maybe a hardware token serves as the recovery mechanism for a mobile authenticator (Lose your phone? Grab your hardware token to authenticate.) The main challenge may be in making the recovery mechanism more secure while also keeping it simple and practical.
The questions presented here revolve around one theme: the importance of awareness. To assume that passwordless standards and authentication methods are all we need to create a passwordless world is a mistake, as is overlooking the fact that even in those areas, most organizations still have a lot of work to do. It’s exciting to think about the existing and emerging solutions that are already moving us down the road to that world, but it’s also necessary to be aware of the gaps to be bridged and obstacles to be overcome. In this case, knowing what challenges we face and thinking about how to address them are the first steps to a passwordless future.