The power and efficacy of the password

Discussion of a password-free future has significantly heated up — again — recently. Several big tech companies have been working toward the concept for nearly 20 years. Then, in May 2022, Apple, Google and Microsoft joined forces in a highly uncharacteristic synergy to expand support for passwordless authentication systems across various platforms.

Passwords are not going away

The word “passwordless” is simple, elegant and sublime, but somewhat exotic. The truth is that a passwordless world is very far from becoming a reality, if it ever will. No one likes passwords, but they are intrinsically linked into the backend architecture of authentication and encryption systems by design. This is not by virtue of trying, working hard or even dreaming. It is merely a function of how encryption schemes work. For example, smartphones and other tokenized devices are subject to theft, loss and bugs to start with. Even with biometrics, short of getting surgery, it is impossible to change your fingerprint, retina or face after the associated data has been stolen or compromised by cybercriminals.

Password use is growing at a significant rate

What’s more, not only are passwords intrinsic to the way modern connected devices work, those devices are now everywhere. In just the past three years, the number of IoT devices fueled by distributed work and the proliferation of cloud-based computing have caused an exponential increase in the number of passwords. 

Employees are working from virtually anywhere and, often, on unsecured networks. All of us now rely on a massive array of cloud-based services. Both the public and private sectors are using more devices of different types and with different operating systems and authentication schemes than ever before. All this has driven a significant boost to the password. Every website, native application, system and database requires passwords at some level — even if biometrics are used as a convenience factor. The fact is that robust encryption keys cannot be generated without a password. Even single sign-on solutions require a password, at some level in the architecture, to authenticate a user — prior to the user transacting with SAML-compliant authentication services.

Password security issues and human behavior are intrinsically linked

Businesses around the world have tried to stay on top of advanced and progressive hybrid working styles by implementing new levels of security, although the password still remains the core pillar of a security system. Cybersecurity teams are struggling to keep up with the changing habits of their workforces, the massive increase in cloud-based applications, the infrastructure they need to manage and secure, and yes, the onslaught of more sophisticated cyberattacks. 

IT organizations are faced with a pervasive and critical dilemma regarding how to gain visibility, security and control over the entire organization’s infrastructure. This means keeping one eye on every single user on every device as they transact with every website, application and system in the organization — and do so from different locations and networks. Thus, cybersecurity solutions today require greater convergence and ubiquity in terms of threading together key identity and access management solutions in a single platform.

Verizon’s 2022 Data Breach Investigations Report highlighted that password security issues accounted for 80% of all data breaches globally. However, this is not caused by technical weaknesses, but by human failure to practice good password hygiene. Most people will know what best practice looks like, such as creating long and unique passwords for each individual account they have. Yet, according to our latest Workplace Password Habits research, almost half (44%) of respondents admitted to using the same password across both personal and work-related accounts. 

Educating people about the importance of strong password security must become an essential component of digital security policies for businesses worldwide. The risk of a cybersecurity breach will be significantly reduced if we make cybersecurity training a formal onboarding step for all existing employees and new hires.

The future of the password

That said, more promising is the growing movement towards a future of password identification and authentications relying on zero-knowledge architecture in organizations. These innovations ensure that the company developing the software that protects the organization cannot access and decrypt the data within.

We have also seen significant growth and advancements in the use of multi-factor authentication (MFA), which is extremely effective in mitigating password attacks given its multi-user device communication. It should be treated as a default requirement in strengthening any organization’s security posture.

Notwithstanding this, an effective cybersecurity solution will not be entirely driven by technological muscle power or money. Infrastructure and organizational complexity coupled with cybersecurity models often impair technology-driven disintermediation. There are over 1.1 billion websites globally — not including the billions of native applications, systems and databases which require both authentication and encryption schemes. Given these metrics, think about the time it would take and the collaborative logistics that would be required to achieve mass migration and adoption to a single, passwordless authentication scheme that meets both authentication and encryption requirements.  

Passwordless solutions have not provided a full end-to-end solution

Kudos to the many industry innovators who have introduced alternative forms of authentication. Apple introduced Touch ID a decade ago and subsequently launched Face ID in 2017. With Windows Hello for logging into certain computing devices, Microsoft pioneered ditching front-end passwords for fingerprints and facial recognition. We will continue to see new innovations in security management such as the use of artificial intelligence (AI) or biometric authentication. 

None of these innovations has killed the password, for the many reasons covered above. The backend of any hardened system requires passwords and layered encryption keys to protect user data. Passwordless solutions have not provided a full end-to-end solution for identity and access management. Instead, they have become a positive “feature” as part of the authentication scheme, one that works especially well in two-factor authentication scenarios. Your face, finger, voice and even your DNA are ultimately a proxy for a password, which remains at play behind the scenes. Further, there is a healthy debate about how the major tech players and other OEMs will be able to marry and create a single platform with agnostic features that work across any device and any browser. And what happens if a biometric breaks or is stolen?  

The pursuit of a passwordless future is both positive and bold

To be sure, these latest innovations are brilliant, and more will appear, but it is just not realistic to believe that passwords will disappear anytime soon. We might remove the manual process of having to enter a string of numbers and letters to get access to whatever we need. But losing passwords altogether is a myth. The best we can do is provide the utmost support for their safe use.

Darren Guccione is CEO and co-founder of Keeper Security.