Password management has always been a challenge for businesses, and it is a huge responsibility for regular users who deal with hundreds of passwords in their digital lives every day. The idea of a Globaldots passwordless authentication solution future sounds like music to everyone’s ears, right? Of course. But before we launch into being 100% Passwordless, let’s demystify what Big tech companies want to bring.
Big Tech wants to bring passwordless login to the masses this year
“In a joint exertion to make the web safer and more useful for everyone, Apple, Google and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
This is great news. In recent years, we’ve seen Google and Microsoft talk about passwordless logins, and in fact, Google and Microsoft have already implemented similar services. However, this is one of the first times that all three have openly committed to the idea of using a single standard.
Internet security has become a very important issue, especially in the world of technology. And as password crackers have taken the world by storm, big tech is looking for better ways to protect your web data. That’s where the idea behind passwordless login came from. Instead of relying on a password or authentication code, the system relies on a specific device to give you access to your accounts.
It is more secure because bad players on the Internet cannot steal your password. However, there is always the risk of losing access to your device.
What does “Passwordless” mean?
Many mobile applications offer optional login using your fingerprint; if you accept, you are logging in with passwordless authentication. If you have Windows Hello enabled on your laptop, you might find it convenient to sign in using facial recognition, right? That’s passwordless authentication. As long as an alternative way to log in does not require a password, a passwordless method is being used.
However, there are a couple of interesting observations about this concept:
- The absence of a password does not necessarily mean that the password is being removed but rather that a passwordless user experience is being offered. If your alternative authentication method (such as facial recognition) fails, the password will usually still be there.
- The passwordless methods used on the phone and the laptop are not interoperable. If you log in to your mobile banking application using your fingerprint and now need to access it through the computer, you will need to provide your password.
The reality is that passwords are not going away anytime soon. Websites, streaming subscriptions, laptops, bank cards and bank website use passwords, each with different requirements, such as length or a specific combination of characters.
“Passwordless Authentication”: a step towards a more secure future?
As organizations increasingly adopt cloud strategies, traditional authentication methods may not provide the necessary security. Threat actors already know that many people reuse passwords, and security teams constantly fight the uphill battle of password hygiene.
Although passwords have a long history of use, best practices have evolved. Read on for our breakdown of the history of password strategies and what has been accomplished at each milestone.
The birth of passwords
In the early days of computation, passwords were used primarily to provide access to internal network systems. The teams used to be located behind locked doors because they took up an entire room. Passwords were used to control people’s time using the central computer, but the key to the room was the authentication process itself.
The evolution of the authentication process
When desktops became the norm for business processes, passwords and authentication had to evolve. At the time, passwords provided access to both a physical device and internal organization networks. This is because the computers were still physically connected to the local area network (LAN) using an Ethernet cable. Without wireless connectivity or the ability to access the LAN from outside, password authentication on the device functioned as a secure connection.
The Internet (and the cloud) changes everything
In recent years, wireless connectivity and cloud adoption have changed everything about passwords. Passwords and authentication have created new attack vectors for threat actors. With a password, they could access corporate resources from anywhere in the world.
Password strategies have become increasingly complex. Now, organizations need to establish and enforce policies regarding the following:
- password length
- A combination of uppercase and lowercase letters
- the use of numbers
- The use of special characters
- Password rotation periods
With these new requirements, many people used easy-to-remember passwords, often reusing the same password in multiple places. In doing so, they undermined the purpose of password policies, giving threat actors a way to steal credentials or engage in dictionary attacks.
In an attempt to mitigate these new risks, organizations have begun to adopt multifactor authentication (MFA), which requires users to use a combination of two or more of the following:
- Something they know (a password)
- Something they have (a token or a smartphone)
- Something of your person (biometrics)
Unfortunately, malicious actors can still find ways to circumvent these controls. For example, they often use social engineering attacks to intercept, impersonate, and forge text messages. In the end, even the best security practices become problematic and inherently risky.
The step to the absence of passwords
As threat evolve their strategies, businesses must keep up and protect digital assets. Thus the move was born to the absence of passwords. Although it’s easy to confuse no passwords with multifactor authentication, the latter is only one part of a passwordless strategy. Passwordless authentication makes the “something you have” factor the primary way to authenticate in an environment.
Here are some examples of passwordless authentication strategies:
- One Time Password (OTP)
- Unique link sent by email
- Persistent cookie
- secret PIN
- SMS or code generated by an application
- Public Key Infrastructure (PKI) Personal Authentication Certificate
- biometric authentication
Conclusion:
Passwordless login is not a new idea; hundreds of companies and service providers already offer standards compatible with billions of devices and browsers. However, this is a notable move because Google, Apple, and Microsoft are the three (if not the) biggest tech companies out there. As such, they are putting more support for FIDO passcode technology on your devices will be a big step for the standard.
These companies say that working with a standard login method is critical to creating a secure alternative. This will allow each device to provide the same level of security and security for users. FIDO is also working to support more devices for its password systems, which is another major improvement.
As I mentioned earlier, Google has already worked on passwordless login. But seeing these three tech companies step up and accept the FIDO standard is good news for consumers worldwide.