Will passwords ever be replaced?

 Biometrics Data Security Authentication passwords Cybersecurity Review Digital Identity and Security

Last updated May 2021 - estimated reading time 5 minutes

In 2004, Microsoft’s Bill Gates declared the death of the password.

Since then, we have seen security providers start to move toward passwordless authentication, using biometrics and contextual characteristics, to respond to growing password fatigue. 

The bad news?

The battle has just begun.

Verizon’s Data Breach Investigation Report shows that ‘123456’ and ‘password’ remain some of the most commonly used passwords; 10% of people use one of the 25 worst passwords.

The result?

81% of breaches involve the use of weak, stolen or reused passwords.

behavioral biometrics

Protect your passwords:  If "123456" is always your password, it's time for a change.

 

“Passwords are vulnerable,” explains Danna Bethlehem, Product Marketing Director for Access Management Solutions at Thales. “People write them down, meaning they can be stolen, and they are easily hacked.”

More people can also access workplace information through the cloud, which, according to Bethlehem, is much easier to hack into.

"When you move your email to a cloud, the login page to that enterprise email account is then exposed to all," she says.

How to protect passwords?

There are now many ways to better protect our passwords, involving biometrics, SMS authentication and physical security devices.

While SMS messages can notify the user of a login, hackers can circumvent this type of authentication by tricking phone companies into thinking that customers have activated their SIM card on another phone.

One-time passwords (OTPs) tend to be more effective, as codes are cryptographically generated based on a secret key created during account set-up and can also come in the form of mobile tokens to a smartphone or stand-alone device, such as a fob.

Time-based One-Time Password (TOTP) adds an extra level of protection. It changes after a set period, such as 60 seconds, for example.

In India, the mAadhaar app on your mobile phone allows you to generate a dynamic OTP instead of waiting for a one-time password to arrive. The app’s algorithm generates a dynamic OTP known as TOTP. The 8-digit code is valid for 30 seconds.

 

However, with the average individual having 90 online accounts, entering unique passwords for each one can be inconvenient and impractical. 

Biometric authentication combines improved security and user experience.

According to analyst Gartner, touch ID, which is already widely deployed in banking apps, is making its way into other customer and enterprise applications.

The analyst claims that 60% of large and global enterprises will have implemented passwordless methods by 2022. 

"Only now are we seeing the development of technological alternatives to passwords that offer both effective security and a convenient user experience," says Danna Bethlehem.

Combining solutions

To enhance security, organizations are now amalgamating approaches.

Looking at an individual's 'digital fingerprint' (the network, device and location of the user's device) means that when unusual activity is detected, such as logging in from an unexpected location, access is denied or a security alert triggered.

Biometrics Geolocation Geolocation, IP addresses (the device being used), and keying patterns can create a strong combination to securely authenticate users.

This type of anomaly detection adds context to what would otherwise be a yes/no security decision based on the correct password, token or fingerprint.

"Combining these types of adaptable, adaptive and contextual attributes with biometric capabilities that are native to the device, or with multi-factor authentication is a better way of validating identities," says Bethlehem.

"We are at an exciting point in time where many technologies are converging to enable secure passwordless authentication. I see this trend growing both in the consumer and enterprise space."

 

The story behind passwords

1961: Fernando Corbató introduces the first computer password while working at the Massachusetts Institute of Technology. The password was for a giant computer called the Compatible Time-Sharing System, which allowed multiple people to sign in. It was developed to limit the amount of time people could spend on the computer. 
The 1970s: Cryptographer Robert Morris develops a one-way encryption function for his UNIX operating system (called Hashing) that translates a password into numbers. 
2004: Bill Gates announces the death of the password, saying, "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems. They write them down, and they just don't meet the challenge for anything you really want to secure."
2013: Apple's Touch ID fingerprint scanner is first introduced with the iPhone 5S. 
2016: Data for almost 360 million MySpace accounts is offered on the "Real Deal" dark market website, including mail addresses, usernames and weakly encrypted passwords.
2017: Microsoft announces four steps to a passwordless future where identity directories no longer persist with any form of the password.
2019: 770 million hacked emails and passwords are discovered by security researcher Troy Hunt who runs the website Have I Been Pwned
2021: COMB, is the largest collection of hacked emails and passwords of all time leaked online with 3.2 billion records.
 

More on protecting your password, authentication methods and solutions

All articles