Alex Laurie, SVP Global Sales Engineering, ForgeRock, tells us why this year will see the expiration of the password – a security model which has long been the most common authentication method – and how the foundations for a passwordless future have already been laid.
The pandemic trained consumers to expect better online experiences as everyone went digital to manage their lives. This fundamental shift has intensified pressure on businesses to deliver enjoyable experiences without compromising security or control. This new requirement will be a major differentiator between businesses competing for the same customers in the coming years – and will determine which brands thrive.
Central to meeting this goal will be how businesses manage the authentication of their customers and users. In general, authentication should achieve three objectives: keeping that account secure, preserving a smooth user experience and linking a user to their account or online identity. Password-based authentication is by far the most common authentication method but it fails on the first two of these three counts.
The password-username model is broken. In 2022 alone, more than 2 billion usernames and passwords were breached, increasing by 35% in 2021 and almost half of all records breached included some form of login credentials. In addition to this, up to 40% of all helpdesk enquiries are related to passwords – a huge drain on company resources.
So, why will this year be the year that passwords finally expire?
Enterprise security’s weakest link
Passwords are often an organisation’s weakest link. Given the costly implications associated with account takeover, which has skyrocketed by 307% in recent years, and the colossal deficit of trust they cause, the stakes have never been higher.
The volume of digital identities per person globally has risen exponentially in recent years. The average American now has over 150 online accounts according to some estimates.
Each of these accounts is a different vector for attack and with cybercriminals able to access increasingly sophisticated malicious cyber tools, threat actors are almost spoilt for choice when it comes to identity theft.
Through phishing, password spraying or brute-force attacks, cybercriminals can access vast amounts of information through a single account, leading to further breaches.
Businesses have rightly started to move beyond the point of password-only security, embracing authentication methods like MFA (which comes with its own benefits and drawbacks), but at the end of the day, modern cybersecurity can feel like a numbers game for the unprepared – and the odds are stacked in the cybercriminals favour.
Forget about forgetting passwords in 2023
Luckily, a passwordless future may not be as far away as it sounds. In fact, the technological infrastructure and standards framework already exists.
Smartphone manufacturers like Apple and Samsung have already laid the technological foundations needed for passwordless authentication for the last decade, while also facilitating a huge shift in behaviour and consumer preferences towards passwordless authentication.
Now, this access technology is moving into other forms of authentication, like software-based biometrics. Because software-biometrics doesn’t rely on special sensors, but rather the high-quality cameras in mobile devices, it allows for cross-platform use so that users can carry their authentication method across multiple accounts and applications.
Another important driver of passwordless authentication has been the Fast IDentity Online Alliance. With the help of its community of identity, security and biometrics experts, the FIDO Alliance has developed and promoted free, open standards that have taken passwordless authentication to the next level.
On World Password Day (May 5), Apple, Google and Microsoft jointly announced that they were building in support for passwordless sign-in, leveraging FIDO2, across all of the desktop, browser and mobile platforms that they control. Crucially, they have all emphasised cross-platform functionality will be a high priority in the development of FIDO2-based passwordless features.
With billions of users and devices between them this will no doubt be a watershed moment for passwordless authentication. Alongside MFA, these technologies will also create a better, smarter, more secure user experience.
The scene has truly been set for a mass password exodus; businesses now need to seize the opportunity with both hands.
The behavioural biometrics revolution
Another promising piece of the passwordless technology jigsaw is behavioural biometrics. While still (relatively) early in this next phase of the biometrics revolution, the signs are already promising.
Continuous authentication – whereby behavioural characteristics, contextual clues like GPS and interactions with a device are continually captured and evaluated to build a profile or score to authenticate a user – could unlock immense value for businesses and their customers, amplifying the benefits of other forms of passwordless authentication outlined above, while extracting more value from legacy systems, reducing friction and improving security.
For consumers, continuous authentication promises more choice, security and convenience, with behavioural analytics working in the background to protect them without introducing unnecessary friction.
However, a lack of friction should not be confused with a lack of security. When the correct balance is struck and behavioural biometrics are implemented alongside AI and traditional security methods like MFA, both customer experience and security will improve.
Forging ahead with passwordless
When even password managers are ditching passwords, you know the writing is on the wall.
Customer expectations about online experiences and passwordless authentication are changing. It’s on businesses to make sure they’re changing too.
Once and for all, the days of the password might finally be numbered.