The modern computer password was first introduced to the computer science industry and the world in the 1960s by a man named, Fernando Corbató. Over the last 60 years, password protection has evolved through the introduction of additional authentication such as Multi-factor authentication, security questions, tokens, etc. Password users have however grown cold to the idea that passwords are the future and become frustrated with managing their passwords and following their company password policies. According to a survey conducted by Lastpass, 91% of users believe going passwordless is the future.
Bill Gates predicted the death of passwords as early as 2004 and introduced a Smart-Card system to Microsoft users. This system was short-lived. Users would either lose their devices or lose the ID cards they required to authenticate themselves. At the end of June, Microsoft’s Windows 11 announcement included a segment of their new and deeper integration of passwordless sign-ins, particularly for logging in to devices, using biometrics or a PIN. Although 91% still believe in delivering a passwordless experience to their users in the future, many of these companies have struggled in their efforts to get both developers and users on board with the idea of a passwordless future. 85% of users still believe passwords aren’t going away just yet. There are many reasons & challenges why a passwordless deployment model isn’t feasible and might not be short at all. In the next section, we’ll be discussing the reasons why.
Why Going Passwordless Might Be Flawed
Before we explore some of the major disadvantages of why going passwordless isn’t considered or adopted by some of the leading companies today, it’s important to first talk about why passwords are being abandoned. Going passwordless doesn’t rule out the need and importance of user authentication. In fact, passwords are the one layer of protection that’s been put in place in order to stop someone from even reaching the authentication step. Going passwordless by implementing features such as biometrics onto devices opens the door to new and bigger problems. Some of these are discussed in the next section.
The Disadvantages of Going Passwordless
Systems all over the world are deeply familiar with passwords and how they’re currently being used. The biggest hurdle passwordless frontrunners are experiencing is getting developers and users to adopt the idea of a passwordless future. Lilly Newman recently wrote that “It’s not easy to break habits developed over decades” when talking about the major hurdles a passwordless model would have to overcome. There are too many legacy systems in our current password ecosystem that believe passwords aren’t going away anytime soon and aren’t willing to write off their current password models and policies.
High Cost of Adoption & Implementation
Many users would be required to upgrade to the latest and greatest devices that support passwordless functionality. This not only rules out a big portion of users in poorer parts of the world but begs to ask the question of whether companies would allocate a bigger budget to their employees in providing these devices. Investing in a new passwordless software and hardware infrastructure can be extremely expensive in the early adoption phase. This is especially the case for companies with a large customer base and many employees. According to Sectigo, a computer security company based in the US, the software or applications that enable OTP/magic link facilities on a company website generally cost around $25 to $1,000 per month (depending on the service provider and how frequently it’s used). Never mind these high monthly expenses, the cost your company faces in replacing employee hardware devices, tokens, and cards are far greater than simply resetting passwords or implementing password policies in some cases.
No User Protection in the Event of Device Theft or SIM Swapping
Without mentioning the costs already involved in replacing user devices, the risk of the user’s information & accounts being hacked is far greater. Once an attacker gets their hands on your device, they can use it to intercept all OTP’s, PIN’s, and magic links that are generated and sent over email or SMS text messages. Currently, in password-based authentication, the attacker requires a password to gain access to the user’s device. With passwordless-based authentication, however, the risk is greatly increased. For example, in the case of common SIM-swapping attacks where someone tricks or manipulates the user’s service providers into transferring your SIM card to them. This leads to the criminal pretending to be you, claiming that you’ve lost your SIM card or replacing your SIM card due to a supposed “lost SIM card”. If successful, the perpetrator can open applications and action OTP messages to gain access to your personal accounts and applications.
Biometrics Aren’t Foolproof
Passwordless security technology can easily be deceived through images and videos of the original user. Hackers make use of these resources to ultimately bypass fingerprint locks. Voice cloning has become a popular method for hackers to gain access through ID-based authentication.
Malware Doesn’t Disappear
Spyware attacks operate by grabbing screenshots or recordings of everything that appears on your device’s screen. Therefore, an OTP-enabled authentication can lead to spyware intercepting the OTP and ultimately gaining access to your accounts. Another type of cyber attack against passwordless authentication is a man-in-the-browser (MitB) attack. This is when the attacker inserts a special trojan into the user’s web browser. This not only intercepts all the data shared (including your OTPs, PINs, and other info), but also changes the appearance of the browser, website, form fields, login fields, and responses received. It can also delete all transaction entries.
Passwords Aren’t Going Away Anytime Soon
In conclusion, I’d like to highlight three major challenges that are evident; A slow adoption with current legacy systems & the lack of user protection once devices are stolen or lost, and lastly, the ability of many users in upgrading to devices with the latest and greatest capabilities that support passwordless functionality.
MyPass believes that with a correctly implemented password policy in place, passwords aren’t the thing we should be running from or scared of. With that being said, MyPass has been very intentional in enabling our clients to implement and adopt strong password policies in their environment. For more on what password policies are, why they’re important, and how MyPass clients are implementing them, read up on our MyPass Password Policy Requirements.
For more information about how MyPass Password Manager or MyPass Identity Verification Manager can help your company establish password governance, protection, and user identification navigate to www.mypass.co.za.