Why the Future Is Passwordless (and How to Get Started)

Eugenio Marongiu / Shutterstock.com

Tired of memorizing or managing long lists of passwords? The good news: The future is passwordless. You might even be able to go passwordless (or almost sufficient) for some services that you already use.

What does “passwordless” mean?

A passwordless login eliminates the need to enter a password, whether it is one you remember or one that you keep track of in a password manager. You still need to remember an identifier like a username or email address, but you will need to use other means to prove your identity.

There are different degrees of passwordless implementations. The end goal for many is to get rid of passwords entirely, which would mean that it would be impossible to log in with a password at all. With some pre-existing approaches, you can optionally log in with a password, while you can verify your identity in other ways.

In order to get rid of passwords, various methods are used to verify who you are, who you say you are. This can be a mobile authentication app that only you have access to, biometric data like a fingerprint or face scan, a physical real device like a key card or USB stick, or less secure approaches like SMS or email codes.

Silver-colored USB stick in the shape of a key
Robert Frühauf / Shutterstock.com

You may need to use more than one method to prove your identity. Two-factor authentication has shown the importance of a multi-pronged approach, and depending on which approach is taken by the service you are trying to access, it may well be in the passwordless future.

Thanks to new standards such as web authentication (WebAuthn), advances have been made in providing passwordless logins. This approach eliminates the need to store biometric data such as fingerprint records or facial images on a central server, which could have devastating security implications that even a password breach cannot do justice to.

Web authentication allows sensitive data to remain on your device while only a key is sent to the server. The verification takes place locally on your device, which is then verified with a public key on the server. This eliminates the need to protect secret information on a server (like a password) as the secret only needs to be on your local device.

CONNECTED: Why You Shouldn’t Use SMS for Two-Factor Authentication (And What You Should Use Instead)

What are the advantages of working without a password?

One of the greatest advantages of passwordlessness is its simplicity. While most people are already used to using password managers, there are still some passwords (like master passwords) that need to be kept in mind. After all, you cannot save the database password in the database that contains your passwords.

By working without a password, you can instead verify your identity without having to remember anything. You may need to authenticate with a mobile app or scan your face or fingerprint and that’s it.

Not everyone uses a password manager when they should. Some still rely on the “little black book” approach, while others don’t use unique passwords for every new service they sign up for. While some services require two-factor authentication, many do not.

A book for your internet passwords and logins (do not buy)
Tim Brookes

Take a look at Have I Been Pwned to see how many data breaches have been linked to your email address and you will quickly see why so many are desperately trying to rid the world of passwords.

By completely removing passwords, you eliminate a weak point in account security. This will not happen overnight, and it will take time for many to come to terms with a future that uses alternative verification methods. The business world is already adopting solutions like YubiKey because the costs associated with password breaches can be so high.

Professional security key

These costs don’t always mean money either. Many services, such as banks and pension funds, require that you handle resetting the password over the phone or even via email. This costs both the bank and the customer time. Passwordless solutions won’t always go smoothly, but they place less emphasis on the end-user having to remember or protect any sequence of numbers, symbols, and letters.

CONNECTED: How to secure your accounts with a U2F key or YubiKey

Which services do you make passwordless?

At the time of writing, November 2021, only Microsoft allows you to work completely passwordless. This means that you can completely remove your password from your account and use Microsoft’s services including Xbox, Microsoft 365 and Windows without typing or pasting a password.

You can do this by downloading the Microsoft Authenticator app for Android or iOS and then signing in to your Microsoft account in a web browser. After signing in, select “Advanced Security Options,” then scroll down to Additional Security and click “Turn On” next to the option for a passwordless account.

Microsoft's passwordless account option

As part of the process, you’ll be asked to save some backup codes that you can use to sign in to your Microsoft account in case you lose access to the Microsoft Authenticator app. You can always visit Microsoft’s security options website again and turn off the feature that restores the password login to your account at a later date.

Google is also moving towards a passwordless future. The company announced in May 2021 that it is “creating a future where one day you won’t need a password at all”. If you have an Android device, you can use your smartphone to sign in to the web. Just sign in to your Google Account, tap Security, then choose Set Up next to Use Your Phone To Sign In.

Apple has also taken steps to implement passwordless web logins in Safari with iOS 15 and macOS 12 (released late 2021) still in consumer builds.

Apple’s Garret Davidson explained how his approach uses WebAuthn with a pair of public and private keys at a 2021 WWDC session:

With public / private key pairs, your device creates a key pair instead of a password. One of these keys is public; just as public as your username. It can be shared with anyone and everyone and is no secret. The other key is private … When you create an account, your device generates these two associated keys. It then shares the public key with the server.

Now the server has a copy of the public key … the private key stays on your device and only that device is responsible for its protection. If you want to log in later, don’t send anything secret to the server. Instead, you prove it is your account by proving that your device knows the private key that is associated with your account’s public key.

In plain language: Your device uses the public key to check locally on your device that you are who you say you are by “signing”. Since only your private key can generate a valid signature, only a device that knows your private key can pass the test. The server then checks your signature with the public key and decides whether you are granted access.

WebAuthn example in Apple WWDC 2021 session
Apple

This is a basic overview of how WebAuthn works, and how Apple plans to use it to replace passwords on their devices when combined with technologies like facial recognition and fingerprint scanning.

You can already turn off password requirements for Apple Pay payments, device sign-ins, and App Store downloads on your iPhone, iPad, and Mac, but this goes a step further and extends it to other services.

A passwordless approach is not perfect

No solution is perfect, hackproof, or completely foolproof. You could lose access to a device or leave something logged in, which could compromise your accounts. Even Face ID and Touch ID can be used on sleeping or unconscious people or by creating lifelike facsimiles of the biometric data sought.

CONNECTED: How deepfakes are fueling a new breed of cybercrime

Perhaps the biggest hurdle will be acceptance and convince most people that it is better to give up their passwords in order to break new ground.

But an imperfect solution is no reason to throw it away entirely. Passwords are out of date and impractical, and it’s time to move on. Two-factor authentication isn’t perfect either, but there are reasons why companies like Apple (and soon to be Google) make it mandatory.

The same goes for password managers. Learn why using your web browser as a password manager could be a bad idea.

Leave a Comment

Your email address will not be published.