Will passwords ever be replaced?

In 2004, Microsoft’s Bill Gates declared the death of the password. Since then, we have seen security providers start to move toward paswordless authentication, using biometrics and contextual characteristics, as a response to growing password fatigue. 

Verizon’s Data Breach Investigation Report shows that ‘123456’ and ‘password’ remain some of the most commonly used passwords; that 10% of people use one of the 25 worst passwords; and that 81% of breaches involve the use of weak, stolen or reused passwords. “Passwords are vulnerable,” explains Danna Bethlehem, Product Marketing Director for Access Management Solutions at Thales. “People write them down, meaning they can be stolen, and they are easily hacked.”

More people are also able to access workplace information the cloud, which, according to Bethlehem, is much easier to hack into. "When you move your email to a cloud, the login page to that enterprise email account is then exposed to all," she says.

Protecting our passwords

There are now a number of ways to better protect our passwords, involving biometrics, SMS authentication and physical security devices.

While SMS messages can notify the user of a login, hackers can circumvent this type of authentication by tricking phone companies into thinking that customers have activated their 
SIM card on another phone. One-time passwords (OTPs) tend to be more effective, as codes are cryptographically generated based on a secret key created during account set-up, and can also come in the form of mobile tokens to a smartphone or stand-alone device, such as a fob. However, with the average individual having 90 online accounts, entering unique passwords for each one can be inconvenient and impractical. 

Biometric authentication combines improved security and user experience. According to analyst Gartner , touch ID, which is already widely deployed in banking apps, is making its way into other customer and enterprise applications. The analyst claims that 60% of large and global enterprises will have implemented passwordless methods by 2022. 

"Only now are we seeing the development of technological alternatives to passwords that offer both effective security and a convenient user experience," says Bethlehem.

Combining solutions

To enhance security, organizations are now amalgamating approaches. Looking at an individual's 'digital fingerprint' (the network, device and location of the user's device) means that when unusual activity is detected, such as logging in from an unexpected location, access is denied or a security alert triggered. This type of anomaly detection adds context to what would otherwise be a yes/no security decision based on the correct password, token or fingerprint.

"Combining these types of adaptable, adaptive and contextual attributes with biometric capabilities that are native to the device, or with multi-factor authentication is a better way of validating identities," says Bethlehem. "We are at an exciting point in time where many technologies are converging to enable secure passwordless authentication. I see this trend growing both in the consumer and enterprise space."

Related content: Have you got data security fatigue?