The announcements in the past few weeks from Apple, Google and other major consumer companies about transitioning out of the age of passwords were heavy on hype and short on reality. That doesn’t mean there is no way to get rid of passwords. It’s just that the passwordless future is not for you.
Bojan Simic, CEO/CTO of HYPR, differentiates between a “passwordless experience” and passwordless technology. HYPR makes the latter. Almost everything else, possibly including Apple’s passkey, is the former.
“Any technology that requires a shared secret is not truly passwordless, he said, because secrets, in the digital world can be stolen.
Shared secrets include passwords, personal identification numbers, account numbers, multifactor authentication and some biometric data. Some technologies, like password managers, eliminate the need to remember your passwords, but you still need a password to access the password manager, he pointed out. That makes a passwordless experience; it just seems like you aren’t using a password.
HYPR is one of the exceptions. Their technology uses private key encryption for authentication, using a smartphone, hardware token, or computer to access local and online services. That completely eliminates passwords altogether.
The problem is that technology is only available to financial institutions and Fortune 500 companies. “Eventually it will be made to select customers of the companies but it will not be widely available yet,” he said.
HYPR is a big dog in this market, but there are competitors targeting the consumer level. Cyberus Labs, based in Poland, makes a similar product using mobile phones. The phone emits a sonic code based on a one-time pad that identifies the user, but that company has not yet reached a critical mass of acceptance. Before it can be used, there has to be a general acceptance of vendors to offer it with their services.
Change is Hard
But even if that tech was widely available the question is: Would people use it? Sean Wright, an application security advocate working with Featurespace, thinks not.
“It’s encouraging to see that larger organisations such as Apple and Microsoft are attempting to change things up a bit,” he explained. “However, this is an incredibly difficult task ahead, primarily because changing general human behaviour is really difficult. Getting ordinary users to change the way that they authenticate to services is no mean feat and involves several challenges.”
Wright said usability is a big hurdle to overcome is usability. “If we can make things easier for users, there will generally be less friction to using the new method.”
Wright pointed out that passwordless technology, such as FIDO2 tokens and WebAuthn is widely available but adoption is another issue. “The adoption is not only users using the technologies but sites and services supporting the technologies.”
About a quarter of companies use multi-factor authentication (MFA). However, Most of those companies don’t support well-established MFA features (such as time-based one-time passwords).
“I believe that this (adoption) is all going to take time. And as a result, passwords will still likely be around for the foreseeable future.”
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.