The Life and Death of Passwords: How Passwordless Is Evolving
Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.
Today: Ted Kietzman, a former product marketing manager for Cisco Duo, ponders passwords as a lost cause, the value of feedback for usability, and how passwordless technology is evolving.
Problems with password-based security
Chrysta: What are some of the functional problems with passwords from the user’s perspective?
Ted: Passwords have a bunch of problems from a user perspective. They’re really annoying to remember. You have to keep them in your brain, which ends up being a pain. And over time, it’s been a requirement that they have to get more and more complex, or you have to rotate them more often. All those things make it harder for me. And then I also just don’t like to type them. It’s annoying for my fingers.
Why is a shift to passwordless necessary? Couldn’t we just fix passwords instead?
Passwords are kind of a lost cause in a way in terms of trying to fix them. They had a use for a long time, which is that your brain is portable and you can bring it to different places. But they’re so replayable, and they’re very easy to attack on a grand scale. That defect is always going to be true.
And passwordless takes [away] that massive attack or being able to do it remotely at a grand scale away because it’s individual, it’s linked to devices, it’s linked to your personal being and those things make it much more secure. So why try to fix something that’s inherently flawed by this ability to attack it at scale when you can move to something that’s much more secure and also easier to use?
Usability is something that is getting talked about more. But for a long time, it wasn’t a central focus in the conversation around what’s important for security to design. What makes functionality or usability – intuitive design – so important for functional security?
I think there was this onerous iron-fist attitude about security for a long time where somebody would say, “Hey, you have to do this.” If somebody has to do something and it’s annoying, smart people in particular tend to say, “I’m going to get around that. I’m going to do something else. I’m going to figure out a sneaky way to make this easier for me in my day to day. I’ll log in from somewhere else, I’ll do something where I don’t have to go through this gate.”
And so if you can make the secure way to do something also the easy way to do something, it’s this two birds with one stone where you both increase the adoption of security and the value of those securities and make people actually want to do it.
Can you give a couple of examples of what that manifests in terms of passwords? So, the iterative passwords, the minimum viable, then adding “1, 2, 3”?
I think the one that we all know is there’s a security control that says reset your password a lot. Or rotate your password, because we want you to have a new one and if an attacker got your last one in some breach somewhere else, maybe they’ll try to use it here. And so you should change your password here.
Everyone goes, “Well I’m going to use my same address and I’m going to add on a new digit to the end. I’m going to use my mother’s maiden name and I’m going to add on a different date at the end.” And so it doesn’t really change the security value of that password because it’s pretty easy to guess that next, but it’s easy for us to remember. This requirement, the security control that’s adding friction, ends up actually decreasing the security because it doesn’t add any security value and you’re adding friction for the end user.
Making passwordless work
Chrysta: What are the behind-the-scenes improvements or technological developments that the average person may not know about that have taken passwordless from aspirational to a more achievable solution?
Ted: What it’s doing is it’s replacing that “something you know” factor with something you are and something you have. Or, in the authentication 101, something you know, something you have, something you are. And to do that, to bind your authentication and your identity to something you have. So that’s one thing: The rise of the FIDO2 protocol, binding your authentication identity to a device via cryptographic keys in the background.
The second part is the improvement of biometrics, which we now know on our phones, whichever type of phone you’re using. And on many laptops, you have touch IDs, face IDs, biometrics that are usable for a long time. They’re not perfect yet, but we’re betting the reason that we think passwordless will be more and more viable is they’re only going to get better. Moore’s law: Only get better over time. Whereas 10 years ago they were practically unusable, now they’re pretty usable and in 10 years from now, we see them as being highly efficacious and something that you can use super easily.
Talk us through a typical passwordless login flow. How does it differ from a traditional password use, and what makes it easier for the user?
Passwordless login flow is exceedingly easy [...] and the reason is that it’s just: You touch a TouchID, you do FaceID, and you’re logged in. And people go, “That sort of seems like magic.”
What’s cool about passwordless is the login flow feels like one step, but what’s really going on is that the biometric is unlocking the key on the device. So the device is one of the factors and the biometric is the second. The other big part of it is you’re not typing that much. You’re not typing a password and you don’t have to remember a password. You’re maybe looking down at your phone or placing your finger on something.
So to make that all short, you go to a site, you touch something on your phone or device, and you’re through. Very secure.
What are some of the most common myths or misconceptions that you run into about passwordless technology and what do they get wrong?
One would be that it just removes the password and doesn’t add anything else to it. But passwordless is much more than just removing a password from the flow. It’s actually adding in that cryptographic key and the secondary factor of the biometric or pin.
Another myth is around the security or privacy with biometrics. Basically, what I tell people is the authentication provider never needs to see your biometric. We don’t store any of them. And the reason for that is it’s performed locally at the device you’re using as an authenticator.
Let’s shift gears a little bit and talk about engineering and usability. Why is it so important to gather user feedback throughout the development and refinement of security changes like a shift to passwordless?
User feedback is really important generally. I think in the case of authentication, it’s even more important because an authentication technology is in the hands of a lot of people. We work in security.
So you have to do two things on the user feedback: Address anything that might be causing them friction or drag their feet, and stay with the old thing that they know really well. And then also show them what the benefit is and make it easy for them to take that step into something that’s new.
What are some examples of surprising feedback that you received from user research, whether that is users finding a process easier or harder than you expected or running into a roadblock that you hadn’t anticipated?
People are sometimes unfamiliar with their biometrics still. It’s also just the truth of the matter that some people don’t even think about MFA as a thing yet. So if you think about the user population and the feedback that we get, we’re trying to build for the most people that we can, we want the solution to be accessible and understandable, but some people are still just using a username and password and they think that’s fine and they don’t understand... So you’re educating them on the security of adding a second factor generally.
The future of passwordless
Chrysta: Where do you see passwordless evolution going from here? What do you see the average user’s experiences looking like five to ten years from now?
Ted: Right now, passwordless is bound by biometrics in one way. They’re improving drastically, that is true, but not every device has them and not every device has them in a way that’s really easy to use. And so, as biometrics increase their prevalence on devices that are used for work, devices that are used your home life, that’s going to make passwordless adoption easier in the next two to five years.
Passwordless is really good at authenticating to web applications and really good if you have a mobile device or a device that has a biometric on it that’s pretty effective. But that footprint will need to expand for a passwordless to really take off.
A last piece would be the idea of what happens when you lose your device? So what happens to your passwordless credential that’s bound to your device, because this is how this works, if you lose it? The case of enrolling or registering or re-registering is still a friction point for passwordless. And as a solution to that improves, we’ll also see more passwordless adoption, I think.
Looking at these inflection points and how passwordless is evolving and becoming more common, obviously the prevalence of biometrics is a really big step. The availability of these standards like WebAuthn is a really big step. Do you see any particular use cases that will be another one of those pivotal steps?
FIDO2 just came out with an announcement that I think is really big for passwordless, which is multi-device credentials and cross-platform credentials. Right now you can use the touch ID on your Mac to log into a bunch of web applications on your Mac. What they’re saying - and that’s limited to one case - you have to be on this Mac and then you’ve created a credential here you can log into a bunch of web applications that wouldn’t normally take passwordless.
Where the technology is going is you can use a credential that’s been created on your mobile device, on your phone - maybe it’s Apple or Android - and you can use that whether it’s a Mac device, a Chromebook, a Windows device.And that makes it really easy because you’re carrying around basically a wallet of credentials that you can use at any device that you walk up to. The portability of a passwordless credential, I think, is going to be a big step in adoption.
Another piece is this, where does the passwordless authentication happen? To get that passwordless login at the point of the OS or operating system, and then transfer that trust through to the web applications therein, you get this really seamless experience of: Log in once to my computer and everything behind that, I’ve transferred the trust from one really secure passwordless login to all of those things. So I think that will also be an inflection point that will make people really want to use passwordless and it will make it really effective in our day to day lives.
What are you most excited about as these methods become more common and a part of everyday security for organizations and users?
I’m excited about not having to remember passwords anymore. It’s a really annoying thing to feel like I have these passwords, and even me as a security professional, I reuse or add on a word. Maybe I know not to just add on one number at the end, so I’ll add on a phrase or something like that, but my memory only works so well, and I know I’m flawed that way. So not having to remember passwords, not having to have one for here and one for there, and then rotate this one, and I’ve forgotten and resetting them because I’ve forgotten. I’m really excited about that.
I’m also really excited for passwordless to be more prevalent. I understand now that the technology is still expanding its footprint and for it to be in that area where I can do it once on my mobile phone and get into my login here on my work computer, log in here on my personal computer, because I’ve created a bunch of passwordless credentials on my mobile device that’s holding it as a wallet, I’m really excited about that.
Will we ever be fully rid of passwords, or how close do you see us getting?
The idea that we get rid of the password fully is something that customers come to me today about, or people in the industry are really interested (in). In order to get fully rid of passwords, we’re going to need solutions that help us register, transfer trust between devices, and make all of that happen without a password being used to bootstrap trust. Until those use cases move into this modern protocol era, or we have a really good solution for the bootstrapping of trust and transferring of trust in the passwordless world, passwords will still be around.
For an average user who’s currently stuck using passwords for some of the most important and private personal information, what tools or best practices do you recommend?
If you’re a user today who’s just using passwords on something and you’re like, "Why would I take that only factor away? Or what is passwordless at all?" there are some things to start doing generally. And I think one is to place traditional multi-factor on anything where it’s just a password. Do that today, add a second factor. It just adds security to those accounts. After that, I think it’s really starting to do things like have a vault where you store your passwords, pre-filling passwords. And then trying, wherever you can, start adopting passwordless.
One thing I’ve been really heartened to see is on the consumer side, passwordless is coming along a little quicker than in your working life sometimes. A lot of people can use their biometric on their device to log into their banking application. And I’m actually excited by that because I think it’ll make somebody, with the consumerization of IT, which we’ve seen basically the idea that people, what they see in their personal lives, they want to have their working experience or their working resources be like. If you adopt passwordless in your personal life and then get excited about that, and maybe even complain a little bit in your working life, passwordless will start to happen in your working life as well.