Passwordless: What Does a World Without Passwords Look Like?

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Rohan Ramesh of Entrust poses the question, “What does a world without passwords look like?” And examines if a passwordless world is obtainable.

The use of passwords is ubiquitous – whether you are logging into your favorite streaming service, social media platform, or mobile bank account, or accessing emails and files at work every day. Yet, 51 percent of consumers are resetting a password at least once a month simply because they can’t remember it. Moreover, 74 percent of respondents will choose biometrics half the time or more.

Consumers are tired of constantly being prompted to enter their credentials to access different apps and sites. Password managers are becoming less helpful and can become expensive as some begin to require a subscription. As a result, this contributes to bad habits, such as weak and re-used passwords, that lead to compromised credentials and costly cyber breaches.

The increased challenge in password use has resulted in members of the Cyber Safety Review Board calling on the government to eliminate passwords nationwide. But what does this really look like in practice, and how can businesses prepare their organizations and their employees?

Passwordless: What Does a World Without Passwords Look Like?

Can We Really Go Passwordless?

We already use passwordless authentication features daily. Smartphones have been using biometric features like fingerprint or face ID for years. Biometric authentication methods are more convenient and secure than passwords, and it is clear consumers prefer them. Benefits of passwordless authentication include:

• Improved user experience: Consumer preference is moving away from passwords as they can be hard to remember and tedious to keep track of. Passwordless authentication, when combined with risk-based step-up authentication, provides security without introducing any unneeded friction and frustration. This creates a very high degree of user-friendliness while also ensuring a high degree of security when relying on high-assurance PKI certificate-based authentication. Ultimately, this only introduces friction in the authentication process when necessary for an extra layer of verification, based on a risk score that takes into account contextual information such as IP address, velocity, behavioral biometrics and more.
• Stronger security: While not all passwordless technology is safe from cyber-attacks like phishing and MFA bypass, passwordless authenticators that combine biometrics with phishing-resistant authentication including digital certificates or cryptographic key pairs (via FIDO2 keys and passkeys), offer higher security and can protect against account take over (ATO) attacks.
• Reduced total cost of ownership: Passwords require time, money and constant updating from both the user, their employer and the IT department. Removing passwords eliminates these costs and constraints, such as having to constantly reset a password and costs from a potential breach. By relying on more efficient and secure passwordless authentication methods (e.g., certificate-based authentication), employers can rest assured their data is protected.

Business Considerations for a Passwordless Workplace

Businesses considering a move to passwordless features should first examine their methods already in use and where they can make improvements. Too many organizations either still rely on a single-factor authenticator like the password or enable relatively weak multi-factor authentication (MFA) with an over-reliance on one-time passcodes (OTP). We know the future is digital − consumers are increasingly seeking new, digital verification methods that allow them to securely share their identity credentials seamlessly and quickly.

Passwordless authentication is an investment in security, but deployment costs can vary depending on the size of an organization’s existing user directory and authentication mechanisms. The technology needed to adopt a passwordless authentication approach may already be in use, but it could require new technology purchases. At its core, adopting high-assurance passwordless authentication that includes proximity detection and certificate-based authentication will eliminate security threats from remote-based account takeover (ATO) attacks and improve the overall user/employee experience – making it worth the investment and saving companies money in the long term.

Going passwordless does not have to mean completely getting rid of all existing physical IDs. In fact, physical IDs will still play an integral part in identity verification going forward. As we enter a hybrid future, consumers, for example, will be able to use a passport document to enroll for digital identity and use that online alongside a picture of their identity. Additionally, they could use their phone to read a chip in the physical passport as needed to verify the document. This same technology could soon be applied to the workplace.

In addition, physical credentials will soon be used as part of an identity verification process that can be a step-up authentication mechanism when dealing with out-of-policy authentication, high-value transactions and privileged users that access critical systems.

A Passwordless Future

A truly passwordless solution can improve security, reduce costs, and allow for happier, more productive employees and consumers.

Consumers are increasingly seeking new, digital verification methods that allow them to securely share their identity credentials seamlessly and quickly. This is the promise of decentralized identity, which, if realized in the future, enables consumers to only share the identity information they want, when they want to. Decentralized identity removes the reliance on centralized third parties, and passwords, allowing consumers to retain control of their key identity credentials themselves, creating an easier and more secure approach to daily verification that can be used across industries for travel, online transactions and more.

We will find that as digital adoption goes up, and with secure passwordless technology getting easier to implement, businesses have the control and convenience they desire without having to sacrifice security.