Skip to main content

Back to Blog

The Passwordless Hype: A Reality Check

The credential crisis is real—as evidenced by the many data breaches that can be traced back to a single origin point: passwords.

The reaction to want a passwordless solution is completely natural. New authentication methods are thought to be the silver bullet to this problem. There are a growing number of options available, including single sign-on (SSO), various multifactor authentication (MFA) solutions, and ‘passwordless’ options too.

One of the primary issues with password security is that users have tens if not hundreds of passwords to remember. The majority of users end up choosing weak passwords or relying on password reuse as a habit, resulting in overall poor cyber hygiene.

A passwordless solution is certainly enticing, from both the user and IT professional point of view. 

Without complicated passwords, authentication happens using something a user “owns, knows, or is.” Examples of this might include a hardware token provided by a company, a one-time password (OTP), or a biometric marker like a fingerprint. Major companies including Apple, Google and Microsoft are all rooting for a passwordless future.

But there’s one issue: beneath the alluring surface of ‘passwordless’ solutions are… passwords. 

Passwords are the Backup Solution.

Though facial recognition and fingerprint scanning are both useful, there are many situations in which these technologies won’t work. Wearing a mask, debris on a Touch ID button, or other interruptions of this technology are common—and when that happens, users are prompted to enter their password.

In the same vein, passwords are also lurking in the background when it comes to the security chain. If an organization relies on biometrics for entrance into a building or onto a system, users might think they are operating a passwordless system. But, when an administrator logs in to monitor the data and ensure security, they most likely will be using a regular set of unsecured credentials, including a password; meaning, there is still an equally accessible entry point into the entire system, dependent on a single password.

So while the desire for passwordless solutions is certainly understandable, the reality is that we are truly not there yet.

Beyond the optical illusion is another reality too: that biometrics, and other “invisible” passwordless authentication methods, are expensive and difficult to implement on a wide scale, and completely inflexible.

If a company wanted to change all its authentication technologies over to biometrics, it would need to update all of its hardware, including company laptops, so that everything had biometric scanners built in. Not only would that be extremely cost-consuming, but organizations looking to do an overhaul would also certainly encounter compatibility issues with legacy software and hardware.

As far as flexibility is concerned—passwordless solutions are notoriously difficult to change, alter, and update. This becomes a huge issue when a breach happens, and a user’s voice and fingerprint data are exposed. There is no easy way to ensure identity checks if their biometric data has been compromised.

Comparatively, passwords are still cheap, ubiquitous, and provide an opportunity for change.

This isn’t to say that there aren’t issues with passwords—there certainly are.

Weak credentials, pervasive password reuse, and casual password sharing introduce a hotbed of vulnerabilities. Instead of rushing towards an expensive mirage of a fix, organizations can and should be doing much more to secure credentials as they are.

According to NIST password guidelines, screening credentials can be one of the most immediate and zero-friction ways to improve contemporary password management strategies. Screening passwords at their creation, as well as continuously monitoring their integrity on an ongoing basis, and against a constantly-updated blacklist, is an important component of a modern approach to password security. If a password does become compromised, organizations can easily force a password reset, potentially stopping a breach in its tracks.

While a passwordless future remains desirable, the industry would do better to address the problems with immediate solutions.