Are Passwords (and Traditional Access Management) Dead?

access management passwords dead

Yes, that is an alarmist title, to be sure. But it’s a question that is grounded in some measure of reality: from their once lofty position as the archstone of authentication solutions, passwords do appear to be fading into irrelevance and obsolescence. Reports of growing distrust for passwords are becoming ubiquitous. What is motivating this change in access management thinking? And what will replace passwords?

Here’s the situation:

Passwords: Access Management Tool or Impediment?

Every year, researcher SplashData compiles the very worst passwords—defined as being easy to crack or guess—still in use by adults. In 2017, old shames such as “123456” and “Password” returned to the top ten list (although personal favorite “guest” did not appear). What makes these findings stunning, from an access management perspective, is that about 10% of adults use at least one of the 25 worst passwords; 3% used “123456,” the password ranked the #1 worst.

These passwords constitute a major security vulnerability for enterprises of every size. A study by Verizon found that 63% of confirmed data breaches in 2017 involved weak, reused, stolen, or default passwords. A similar study by LastPass placed that percentage at 81%. Surveys by Pew Research indicates that while people know just how dangerous these password strategies are, but 61% will do so anyway.

As more studies become public, the more it seems that passwords are a vulnerability in and of themselves. But is there something else contributing to the problem?

How We Store Passwords, Human Error, and Other Flaws

Perhaps we can’t blame people for their poor password hygiene. Some studies place the number of passwords an average individual needs to remember at 150, and 89% of users keep track of their passwords by memorizing them. After 150 passwords, giving in and using “password” becomes far more understandable.

Some enterprises try to combat this issue by enforcing longer, more complicated passwords (“it must have at least one number, capital letter, and random symbol”) and mandating employees change them every few months. But this actually feeds into the problem, as employees desperately try to remember all the different passwords and their variations that accumulate over time. Most will end up writing them down somewhere on their browser, despite this being a well-known security hole.

According to Pew Research, 39% of users find it challenging to keep up with their passwords as is—this corporate strategy can only exacerbate their anxieties. You might assume a password manager can solve this problem, but only 12% of Americans use that kind of solution. Even if they did, it wouldn’t change the fact that passwords are the easiest access management authentication factor to crack.

But what would replace passwords?  

Biometrics, Blockchain, and 2FA

In the IBM Security: Future of Identity Study only 27% of their survey respondents consider passwords secure as an authentication factor. At the same time, 70% state they value security over convenience in their authentication methods. So what factors are considered more secure?

Biometrics, the darling of identity and access management, seem to on the rise in public opinion. The theory goes that biometric authentication factors, such as fingerprints, cannot be lost or forgotten, are distinctly individual, and quite hard to replicate. But with popularity comes increasing scrutiny, specifically on how biometric authentication data is stored on servers, the issues of age affecting biometric information, and the problem of false positives and false negatives.

Others suggest that blockchain systems could replace passwords if paired with biometrics; blockchain’s auto-encryption features makes it nearly impossible (thus far) to crack, and their decentralized nature make them difficult to hack directly. A user could access their identity data from any device without fear using their fingerprints. However, blockchain technology is still in its infancy, and it has not been definitively proven that is it as impossible to hack as it claims. And while enterprises are exploring blockchain’s identity and access management capabilities, it is far from certain it can be applied in that manner.  

The most likely scenario for the future is that biometrics and blockchain and combined with passwords in 2 factor or multifactor authentication. Experts seem in agreement that 2 factor authentication at the least will supplant single passwords, as having any one authentication factor is vulnerable by itself. Passwords would still be necessary, but be only a part of the scheme rather than the sum of it. However, with passwords being so reviled, it is not impossible to conjecture a future where they are completely absent from access management.

The question may be how soon that future comes.  

Ben Canner