Why the Password Is Going Extinct

The vulnerability of passwords to hackers is giving rise to a host of passwordless authentication solutions.

Whether it’s a financial account, an account with an e-commerce retailer, or medical records, user names and passwords have been the most common authentication method for digitally accessing an account. Trouble is, passwords are prone to being compromised through a variety of attack vectors.

Three of the most common forms of password attacks are: spray attacks, in which a criminal acquires a list of user names, then attempts logins across all the names using the same password; a phishing expedition, in which the criminal attempts to trick a consumer into turning over her username and password; or a brute-force attack in which a hacker uses a computer program to try all possible letter, number, and symbol sequences character-by-character, until hitting the combination that accesses the user’s account.

Passwords can also be forgotten, which requires consumers to reset it. But resets can be annoying for consumers, as it means they have to create and remember a new password or write in down and keep it in a safe place.

On average, consumers and workers spend nearly 11 hours a year setting, entering, and resetting passwords, according to a 2019 study conducted by the Ponemon Institute LLC and sponsored by Yubico, a provider of hardware authentication.

Yet, from a business’s perspective, having customer-service representatives help consumers reset their passwords can be costly. A substantial fraction of consumers needs help resetting passwords, and the average call to a help desk costs $50, according to authentication experts.

Further, because it can be difficult for consumers and workers to remember all their passwords, they tend to create weak passwords or reuse the same one, or a slight variant of it, across multiple accounts and devices, which makes them vulnerable to hackers.

The Ponemon study also estimates the annual cost of productivity and labor loss per company for entering, setting, and resetting passwords averages $5.2 million a year.

For online merchants, 50% of shopping-cart abandonments are due to forgotten passwords. And e-commerce shoppers who have to reset their passwords typically spend less, according to the FIDO Alliance, which develops and promotes authentication standards that help reduce over-reliance on passwords.

Down With Passwords

“Passwords are fundamentally flawed, because they can be hacked, forgotten, and stolen,” says Andrew Shikiar, executive director and chief marketing officer for the FIDO Alliance. “It’s also tough to enter passwords on keyboardless devices. Plus, more than 80% of data breaches can be tracked back to passwords.”

That last point has spawned a saying among cybersecurity experts that hackers don’t hack any more, they simply log-in. Enabling hackers to come in through the front door using a password can be costly to businesses. The average cost of a data breach is $4.24 million, according to IBM Corp.’s 2022 Cost of a Data Breach report.

“It takes a slip by just one employee when it comes to password management to unlock the door for hackers,” says Mike Engle, chief strategy officer for 1Kosmos Inc., a provider of cloud-based distributed-identity solutions. “One of the best safeguards that can be taken is to eliminate passwords altogether.”

So what technologies will supplant passwords? One of the most popular alternatives is passkeys, which use cryptographic keys to identify devices.

A passkey consists of a key pair that includes one public key, which is registered with the Web site or app being used, and one private key, which is held only by the user’s device. Public passkeys are linked only with the Web site or app they were created for, which protects users from being tricked into using a passkey to sign in to a fraudulent site or app.

The private key never leaves the user’s device, such as a mobile phone or computer, so it can’t be leaked from a Web site or app. And consumers never have to remember or reset their passkey.

Passkeys, the FIDO Alliance says, are resistant to phishing, reliably strong, and are designed so there are no shared secrets.

‘Get Religion’

In October, PayPal Holdings Inc. announced it was adding passkey technology to replace passwords. To set up a passkey, PayPal customers log into PayPal.com with their existing PayPal credentials and are presented with an option to create a passkey.

Customers who choose to set up a passkey are asked to authenticate themselves with Apple Face ID or Touch ID, after which the passkey is automatically created. On the next visit to PayPal that requires a log in, the passkey will be used, eliminating the need to use or manage a password.

PayPal’s passkeys are synced with Apple’s iCloud Keychain, a secure credential-storage service, to help make them easier to use on iOS16, iPadOS 16.1, and macOS Ventura devices. For devices that don’t support passkeys, consumers can use an iPhone to scan a quick response code that appears after entering PayPal user-ID credentials.

At the time of the announcement, PayPal said passkeys would help improve the checkout experience by eliminating the risks of weak and reused credentials, and spare its customers from remembering
a password.

One advantage of passkeys is that the public key has no value by itself, as it must be matched to the private key. “Passkeys represent the ability to create strong and unique authentication effortlessly,” says Gary Orenstein, chief customer officer for
Bitwarden, a Santa Barbara, Calif-based open-source password-
management service.

Earlier this year, Bitwarden acquired Passwordless.dev, a European-based open-source startup. It enables developers to trim the work around cryptographic operations and technical flows to create passkeys and other forms of WebAuthn passwordless experiences in minutes using out-of-the-box code.

WebAuth is a core part of the FIDO2 specification, and is a modern open-authentication standard supported by browsers and technology giants such as Apple Inc. Google, and Microsoft Corp.

In 2022, Apple, Google, and Microsoft announced plans to expand their support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. In doing so, the three tech giants opened the door for consumers to automatically access their FIDO sign-in credentials, which are often referred to as a passkey, on many of their devices, even new ones, without having to re-enroll every account.

In addition, consumers will be able to use FIDO authentication on their mobile devices to sign into an app or Web site on a nearby device, regardless of the operating system or browser they are running.

“With the major tech companies adopting the FIDO standard, now it’s up to merchants to request customers to adopt passwordless authentication,” says 1Kosmos’s Engle. “As competitors start to roll out passwordless capability we will start to see merchants get religion when it comes to passwordless authentication.”

A Pocket Scanner

But another form of passwordless authentication is also gaining momentum. This is biometrics, which authenticates individuals by unique physical characteristics, such as a fingerprint or facial recognition.

“Biometrics [is] definitely growing as an alternative to passwords. The largest driver of this is the incorporation of fingerprints and facial recognition in mobile devices,” says Michael Greenwood, a research analyst for Juniper Research. “This means that significant proportions of populations are walking around with biometric scanners in their pockets. The availability of built-in biometric frameworks within devices, such as Apple’s Face ID, makes it easier for these services to be leveraged.”

In many cases, biometrics is used in conjunction with passkeys to create layered, and hence stronger, authentication, Orenstein says.

One advantage of biometrics is that the technology is not vulnerable to many techniques used by hackers, such as brute-force and dictionary attacks. A dictionary attack attempts to break into a password-protected device or network by entering every word in a dictionary as a password.

The cost effectiveness of biometric authentication depends on the solutions and the use case, experts say. “Implementing fingerprint scanning for a banking app, or utilizing a mobile device’s pre-existing fingerprint scanner, can be very cost effective,” Greenwood says. “Alternatively, using hardware fingerprint scanners for employee authentication to log onto a company’s system would be more expensive and is significantly less scalable.”

One point businesses looking at biometrics for customer authenticate need to keep in mind is that consumer preferences for the technology can vary widely. For example, consumers who use fingerprint technology to access their mobile phones tend to be accepting of the technology when used for authentication in other scenarios.

“On the other hand, there are some consumers that don’t like biometrics,” Orenstein says. “There is a wide range of user personas, and they should be kept in mind when developing passwordless authentication solutions. Some consumers favor convenience, while some people also want a physical security key, and others prefer more battle-hardened security elements.”

‘Unfit for Online’

Another option gaining momentum is digital Identities. A recent study by Juniper Research forecasts that more than 4.1 billion apps that enable consumers to verify their identity online are projected to be in use globally by 2027, up 82% from 2.3 billion in 2023. Juniper defines a digital identity as a digital representation of an entity, which can be one or more individual pieces of identity data, an event, or a signal.

As adoption of these apps increases, Juniper projects consumers will move away from reliance on passwords in favor of biometric verification and multi-factor authentication under a zero-trust model, where identities are continuously authenticated.

While digital-identity apps are expected to grow in popularity, so too are digital wallets, which can hold key pieces of identification, such as a driver’s license, to verify a consumer’s identity online, Juniper says.

Digital wallets may be the primary competitor to identity apps, but one downside with wallets is that wallet providers struggle to monetize identity in the same way as they have payments, due to competition
from government-run schemes. This limits adoption, according to the Juniper report.

As passwordless authentication solutions become more commonplace, educating consumers about the importance of backing up their authentication apps will become a necessity. “A lot of people use authentication apps, but they don’t back them up across their devices,” says Orenstein. “There needs to be redundancy in passwordless authentication.”