Password alternatives are on the rise, is this the beginning of the end for passwords?
At first glance, the humble password appears to be under threat. Owners of Apple’s latest iPhones can now unlock their phones and use Apple Pay simply by scanning their face. Microsoft’s Authenticator app now makes password-free logins a possibility. The latest range of USB security keys from Yubico now let people do away with passwords altogether.
However, in this post, we’ll aim to show that no matter how annoying passwords may be, they aren’t going anywhere quite yet.
Microsoft’s Authenticator app still needs a password
While Microsoft's new ‘password-free login’ app seems revolutionary, it isn’t about to consign passwords to the history books just yet. The Authenticator app still requires you to use your actual password, but only once. When you set up the app, you log in using your password for the first time and have the option to use the app instead of your password when you log into other services in the future. Far from ushering in a password-free future, using this app means that you’ll need to keep your password in case you ever have to reinstall the app or change devices.
On the plus side, using the app can save you the annoyance of entering your password regularly and clearly saves you time and hassle. The app is similar to two-factor authentication as the app’s confirmation process replaces the need to enter your password. It is arguably safer than receiving confirmation codes by text message.
Google’s two-factor prompts are even more streamlined
Android users can appreciate that Google’s two-factor prompts are already far more streamlined than Microsoft’s app-based solution. By making use of Android OS, Google sends notifications to your designated device and requires you to simply tap to confirm. Although this system requires no standalone app, it does require you to type in your password when you want to access your Google account on another device.
Yubico’s Yubikey is an even wider-ranging solution
One of the strongest attacks on the humble password has come from Yubico’s new security keys, the Yubikey. These devices use the open FIDO2 authentication standard and replace your passwords for any service that supports this standard. There are four types of keys with varying capabilities and styles for both desktop and mobile devices. Whereas Google’s new Titan security keys simply increase the strength of passwords without replacing them, the Yubikey offers true password-less authentication.
Biometrics are also challenging the dominance of passwords
As we mentioned earlier, Apple recently unveiled Face ID depth-sensing technology for its latest iPhones. Microsoft has introduced a similar password-free login strategy with its innovative 'Hello' feature. This provides Face ID-like functionality on webcam-equipped computers.
At first glance, the future looks bleak for the future of passwords. The rise of an as-yet-unknown new de facto security standard seems inevitable – or is it?
You still need passwords to encrypt data
The password’s saving grace is that you can’t encrypt data with biometrics. Yet. Sure, biometric access is great for unlocking mobile devices or logging into an app. But to secure data on a device requires a passcode at set up. Every time the device is rebooted, you’ll need that code. The only way to encrypt data is to use an encryption key. Even the latest iPhones with sophisticated face-mapping sensors still require the owner to set up a passcode to encrypt the data.
A number of firms are working on solving this fundamental challenge. NoPassword, BIO-key, and LastPass are researching technologies that could let people do away with the need for a master password. BioSec is researching "palm vein recognition" to encrypt data using biometric data and Fujitsu is looking to do the same with its authentication service. But this leads to another intrinsic problem: biometrics can’t be updated.
Passwords can be changed or updated
As has been demonstrated, hackers can still find ways around biometric access such as facial recognition. Unlike passwords, biometric identifiers such as your fingerprints or iris’ cannot be changed or updated. The threat is that if hackers steal people’s biometrics, the victims can’t simply change the data. Passwords will remain critical to how we access hardware and information purely because they can be changed and updated with ease, should security be breached.
Passwords don’t tie you to one particular device
Another benefit of passwords is that you can use them across a whole range of devices. Imagine you secure your iTunes account with Face ID on your new iPhone but then find yourself wanting to log in on a different computer. Of course, the computer won’t have facial recognition so using a password will be inevitable.
While password-less login apps and biometric access are becoming increasingly widespread, the humble password isn’t going anywhere. As we’ve seen, passwords are essential for encrypting data and give people the freedom of not being tied to one particular device. High-risk environments such as banks and hospitals will continue to require multiple authentication factors and passwords will continue to be part of the mix for quite some time to come.