Passwordless authentication is not a new idea. As long ago as 2004 Bill Gates told the RSA Security Conference that “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

2004 was the year Facebook started up. YouTube came a year later, and Twitter in 2006. In 2007, Apple launched the iPhone. Gates was talking about passwordless authentication at a time before ransomware was something every company needed to be aware of and before cloud was a ‘thing’.

But still, organisations wanted to maintain device security, and passwords were recognised as not up to the task. They’re still not up to the task, yet we continue to use them even though passwordless authentication is proven to be more efficient, more effective and more secure, and to enable faster login across multiple computers and multiple sites.

There is something about human nature which means that we don’t necessarily take the optimal route. Just as individuals stick with banks and utilities suppliers that we know charge more than others rather than take the time to make a change, organisations can stick with processes and procedures that are familiar even when better options exist. Only when something bad happens is change triggered. House burglaries can trigger the purchase of alarm systems; cyber attacks can trigger a move to more secure systems.

Continued remote working could be the catalyst

Situational change on a wider scale can also be a trigger to take a new approach, and it is no exaggeration to say that we’re going through the biggest situational change since the Second World War. Organisations have learned to accommodate remote and flexible working because they’ve had to, not because they’ve chosen to. With that change has come the need for them to reconfigure their ‘safe perimeter’ to include user-owned computers and communications networks that don’t have the same level of security protection as corporate equipment.

The natural partner to making this move is a complete rethink of passwording. People just can’t be trusted to set reliable passwords, to change them frequently, to make sure they are strong, and to keep them secure. Forcing password change simply creates bad feeling and password reuse.

Two-factor authentication is little better as a solution. It still relies on a password, often with a second PIN disclosed to a mobile phone. I’ve heard that some businesses and schools are trying to implement two-factor solutions, but users do not feel comfortable disclosing a private mobile number as a means to authenticate and log on, so the business needs to provide a second phone to the user, which is expensive and gives the user the task of carrying two phones around. Asking people to do more to achieve a goal than they were doing before is a sure-fire way to disgruntle them.

Passwordless authentication removes all of these problems. It gives end-users less to remember, and less to think about. Login is faster, easier, and in comparison to tapping in passwords, waiting for a text to come through and tapping in a PIN, it is seamless and painless. While there are back-end systems for organisations to put in place, the gains of remote management are many, including immediate disabling of a key if a user says they’ve lost it.

Passwordless authentication makes users’ lives easier

Most importantly for users, they don’t need to remember a password – they just use a physical key small enough to sit on a keyring. It can be proximity-based if the laptop allows, or attached via USB, and relies on the easily administered personal biometric of a fingerprint scan. Passwordless keys don’t have to upload biometric data to a server, so there is no danger of personal biometric data being stolen.

As individuals, we are already growing accustomed to using personal biometrics. Many people use a fingerprint or facial recognition to log into their phone, and Windows Hello facial recognition on their laptop. Technologies often start in the consumer world and make their way to the corporate sector later, and the familiarity with biometric login could just be one of the factors that helps passwordless login finally become accepted.

Moreover, some of the biggest technology companies are deploying passwordless authentication at speed. Microsoft has deployed passwordless authentication for Azure, and is encouraging users to ‘go passwordless’.

Have the planets finally aligned for passwordless?

Seventeen years on from Bill Gates’ statement, could we finally be reaching the point where passwordless authentication gets the widespread adoption it deserves?

The technology exists, and is proven to be viable for companies small and large, and for individuals. What’s needed is the trigger that will motivate organisations to move to it, and the time for that may be right with the coming together of several key factors: endorsement by household name technology firms, a forced move to remote working, increasing consumer acceptance of biometrics and a seemingly inexorable rise of cyber attacks, many of which involve breaking passwords.

This article was originally published on Information Age on 9 April 2021