Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

+1 -800-456-478-23

Password Policy Requirements The MyPass Blog

The Future Of Going Passwordless

Introduction

The modern computer password was first introduced to the computer science industry and world in the 1960’s by a man named, Fernando Corbató. Through the last 60 years password protection has evolved through the introduction of additional authentication such as, Multi-factor authentication, security questions, tokens etc. Password users have however grown cold to the idea that passwords are the future and become frustrated with managing their passwords and following their company password policies. According to a survey conducted by Lastpass, 91% of users believe going passwordless is the future.

Bill Gates predicted the death of passwords as early as 2004 and introduced a Smart-Card system to their Microsoft users. This system was short-lived. Users would either lose their devices, or lose the ID-cards they required to authenticate themselves. At the end of June, Microsoft’s Windows 11 announcement included a segment of their new and deeper integration of passwordless sign-ins, particularly for logging in to devices, using biometrics or a PIN. Although 91% still believe in delivering a passwordless experience to their users in the future, many of these companies have struggled in their efforts to get both developers and users on board with the idea of a passwordless future. 85% of users still believe passwords aren’t going away just yet. There are many reasons & challenges why a passwordless deployment model isn’t feasible and might not be in the near future at all. In the next section, we’ll be discussing the reasons why.

Why Going Passwordless Might Be Flawed

Before we explore some of the major disadvantages why going passwordless isn’t considered or adopted by some of the leading companies today, it’s important to first talk about why passwords are being abandoned. Going passwordless doesn’t rule out the need and importance of user authentication. In fact, passwords are the one layer of protection that’s been put in place in order to stop someone from even reaching the authentication step. Going passwordless by implementing features such as biometrics onto devices opens the door to new and bigger problems. Some of these are discussed in the next section.

The Disadvantages of Going Passwordless​

Slow Adoption

Systems all over the world are deeply familiar with passwords and how they’re currently being used. The biggest hurdle passwordless frontrunners are experiencing is getting developers and users to adopt the idea of a passwordless future. Lilly Newman recently wrote that “It’s not easy to break habits developed over decades” when talking about the major hurdles a passwordless model would have to overcome. There are too many legacy systems in our current password ecosystem that believe passwords aren’t going away anytime soon and aren’t willing to write off their current password models and policies.

High Cost of Adoption & Implementation​

Many users would be required to upgrade to the latest and greatest devices that support passwordless functionality. This not only rules out a big portion of users in poorer parts of the world, but begs to ask the question whether companies would allocate a bigger budget to their employees in providing these devices. Investing in a new passwordless software and hardware infrastructure can be extremely expensive in the early adoption phase. This is especially the case for companies with a large customer base and many employees. According to Sectigo, a computer security company based in the US, the software or applications that enable OTP/magic link facilities on a company website generally costs around $25 to $1,000 per month (depending on the service provider and how frequently it’s used). Nevermind these high monthly expenses, the cost your company faces in replacing employee hardware devices, tokens and cards are far greater than simply resetting passwords or implementing password policies in some cases.

No User Protection in the Event of Device Theft or SIM Swapping​

Without mentioning the costs already involved in replacing user devices, the risk in the users information & accounts being hacked, is far greater. Once an attacker gets their hands on your device, they can use it to intercept all OTP’s, PIN’s, and magic links that are generated and sent over email or SMS text messages. Currently, in password-based authentication, the attacker requires a password to gain access to the user’s device. With passwordless-based authentication however, the risk is greatly increased. For example, in the case of common SIM-swapping attacks where someone tricks or manipulates user’s service providers into transferring your SIM-card to them. This leads to the criminal pretending to be you, claiming that you’ve lost your SIM-card or replacing your SIM-card due to a supposed “lost SIM-card”. If successful, the perpetrator can open applications and action OTP messages to gain access to your personal accounts and applications.

Biometrics Aren’t Foolproof​

Passwordless security technology can easily be deceived through images and videos of the original user. Hackers make use of these resources to ultimately bypass fingerprint locks. Voice cloning has become a popular method for hackers gaining access through ID-based authentication.

Malware Doesn’t Disappear​

Spyware attacks operate by grabbing screenshots or recordings of everything that appears on your device’s screen. Therefor, an OTP enabled authentication can lead to spyware intercepting the OTP and ultimately gaining access to your accounts. Another type of cyber attacks against passwordless authentication is known as a man-in-the-browser (MitB) attack. This is when the attacker inserts a special trojan into the user’s web browser. This not only intercepts all the data shared (including your OTPs, PINs, and other info), but also changes the appearance of the browser, website, form fields, login fields and responses received. It can also delete all transaction entries.

Passwords Aren’t Going Away Anytime Soon​

In conclusion, I’d like to highlight three major challenges that are evident; A slow adoption with current legacy systems & the lack of user protection once devices are stolen or lost and lastly, the ability for many users in upgrading to devices with the latest and greatest capabilities that support passwordless functionality.

MyPass believes that with a correctly implemented password policy in place, passwords aren’t the thing we should be running from or be scared of. With that being said, MyPass has been very intentional with enabling our clients to implement and adopt strong password policies in their environment. For more on what password policies are, why they’re important and how MyPass clients are implementing them, read up on our MyPass Password Policy Requirements.

More Info

For more information about how MyPass Password Manager or MyPass Identity Verification Manager can help your company establish password governance, protection and user identification navigate to www.mypass.co.za.