The Inevitable Path to a Passwordless Future

The year is 1960. Fernando Corbato, a computer science pioneer at MIT, invented the first digital password. Fast forward to 2024, and these guardians of our digital lives are starting to look a bit worn around the edges. In an era of ever-evolving cyber threats, is it time to consign passwords to the history books?

The answer, for many experts, is a resounding yes. Passwords, once a seemingly secure solution, are now riddled with vulnerabilities. The sheer number of accounts people maintain, coupled with the pressure to create complex, unique passwords, often leads to reused credentials, a.k.a. a hacker’s dream. Even strong passwords, like complex passphrases, can be compromised through phishing attacks or data breaches.

The inconvenience factor is another drawback. Remembering a multitude of passwords creates friction, leading to frustrated users and even lost business opportunities. In fact, 60% of global consumers have abandoned services due to cumbersome login processes.

A passwordless future

The encouraging news is that a passwordless future is no longer science fiction, and technology advances mean biometrics and device verification is taking centre stage.

Multi-factor authentication (MFA), when implemented effectively, offers a robust layer of defence. Imagine a system that requires not just a password, but also a one-time passcode generated on a mobile phone or fingerprint verification. Suddenly, the task of impersonating a legitimate user becomes exponentially more difficult for cybercriminals.

The strongest MFA solutions eliminate passwords altogether, relying solely on biometrics and device recognition. This approach minimises the attack surface, making it nearly impossible for unauthorised access.  At the same time, it provides users with greater convenience, enabling them to log in easily with an email link, an authenticator app, or a method they’re probably already using daily, such as the  face scan on their phones or Touch ID on their laptops.

While this all sounds very appealing, there are still several hurdles remaining. Integrating passwordless solutions with legacy systems can be a complex undertaking and businesses often have a mix of older and newer technologies, making a seamless transition challenging.

Fear of change can also be a barrier. However, as biometric authentication becomes increasingly commonplace on smartphones and laptops, user comfort with these technologies is steadily growing.

The path to a passwordless world requires a strategic approach. Businesses can begin by implementing single sign-on (SSO) solutions, allowing users to access multiple platforms with a single set of credentials. This can be further bolstered by layering on MFA with passwordless options.

For new businesses, the password-less approach offers a significant advantage. Eliminating passwords altogether removes the risk of password leaks and simplifies the user experience, leading to faster onboarding and reduced support costs.

While transitioning to a password-less future may necessitate initial investment and process changes, the long-term benefits are undeniable. Enhanced security, happier customers, and a streamlined user experience are all within reach.

In today’s competitive landscape, few businesses can afford to ignore the compelling arguments for leaving passwords behind.

Reduced Password-Related Support

In addition, passwords are not just insecure, they’re expensive. It’s estimated that a third of helpdesk calls are related to password resets, and some estimates are even higher. A recent consumer study found that consumers’ top complaint about passwords is that they have too many to keep track of and they need to be frequently updated at a cost to the business. Forrester Research estimated that each password reset was costing organisations around US $70 a pop.

The key driver? Better security

The move towards a password-less future isn’t just about convenience; it’s about bolstering security in the face of a constantly evolving threat landscape.

Cybercriminals are relentless in their pursuit of vulnerabilities, and passwords are a prime target. Brute-force attacks, phishing scams, and malware all exploit the inherent weaknesses of passwords.

Data breaches are another major concern. Millions of usernames and passwords are compromised on a regular basis, often forming the foundation for large-scale credential stuffing attacks. In a passwordless world, stolen data becomes significantly less valuable to cybercriminals. Biometric data, such as fingerprints or facial scans, is unique to each individual and cannot be easily replicated.

Indeed, by eliminating the password, you eliminate all these threats.  Moreover, because login credentials are never transmitted over the internet, there is no threat of interception.

Trust is at the core

The success of a password-less environment hinges on user trust. Consumers need to be confident that their biometric data is being handled securely and so transparency and robust data privacy regulations are crucial.

Indeed, today’s enterprises are under intense pressure to implement security measures that protect personal data in compliance with global and local data protection regulations. Passwordless can help as it requires no collection and storage of passwords.  It actually reduces the amount of personal data organisations hold about their customers, a key ask from consumers resulting from multiple recent data breaches in Australia.

Businesses must clearly communicate how they are collecting, storing, and using biometric data. Users should have complete control over their information, with the ability to opt-in or opt-out of password-less authentication methods.

While biometrics are at the forefront of passwordless authentication, the future may hold even more innovative solutions. Behavioural biometric authentication, which analyses typing patterns or mouse movements, offers an additional layer of security.

The rise of connected devices also opens up possibilities for contextual authentication. Imagine a scenario where a smartwatch automatically verifies your identity when you attempt to log in to your computer on a familiar network.

A Collaborative Effort For Attaining Multiple Benefits

The benefits of passwordless can be appreciated in today’s workplaces by any employee who’s ever interacted with a password, from IT security leaders to employee IT users, including :

  • No password for the user to create and remember
  • Provides a simpler registration and login experience
  • Delivers better security than passwords and resistance to identity attacks like phishing
  • Saves organisations money by eliminating helpdesk tickets related to password resets
  • Prevents account lockout and shopping cart abandonment

However, the transition to a password-less future requires a collaborative effort between technology companies, businesses, and policymakers. Standardisation is key to ensuring interoperability between different password-less solutions.

Businesses need to invest in the necessary infrastructure and employee training to make the switch. Policymakers have a role to play in establishing clear guidelines around data privacy and security for biometric authentication.

Ashley Diffey, Vice President Australia and New Zealand at Ping Identity
Ashley Diffey
Ashley Diffey is a passionate leader with over 20 years of experience in B2B sales, key account management and business development in both the finance and ICT/telecommunications industries, specialising in security, data, communications, SaaS and hosted software. As Vice President Australia and New Zealand at Ping Identity, Ashley is responsible for accelerating sales and bolstering customer support and services to continue driving the increasing demand for Ping Identity’s solutions in the region. He works with organisations to achieve Zero Trust identity-defined security and more personalised, streamlined user experiences. In addition, he works closely with customers to provide flexible identity solutions that accelerate digital business initiatives, delight customers, and secure the enterprise through multi-factor authentication, single sign-on, access management, intelligent API security, directory, and data governance capabilities. Prior to joining Ping Identity, Ashley worked at leading ICT/Telecommunication companies, including F5 Networks, Commvault and Telstra. During his tenure at F5 Networks, he oversaw the organisation’s southern regional channel and Telstra partnership. He was also Director for Channel Sales Australia and New Zealand at Commvault.