The Life and Death of Passwords: Toward a Passwordless Future
Our upcoming documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With its release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.
Today: Our panel of experts share what excites them about a passwordless future, the technical milestones to get us there, and whether we’ll truly say goodbye to passwords.
The Passwordless Tipping Point
What is helping to move passwordless from more of an enterprise-level solution to something that an average person uses regularly?
As a senior software engineer on the Duo Single Sign-On platform at Cisco Secure, Christi Volny’s work plays an important role in getting to this point:
“If we look at the history of multi-factor authentication for cloud services, what we see as we’ve moved toward is more of a single sign-on model or social login being the new popular item. You’ll start to see that services that previously would’ve been difficult to implement passwordless or multi-factor or some other non username- and password-based authentication (on), they can now rely on third-party authenticators that can enable them to adopt passwordless multi-factor. So in the same way that switching to logging in with your Twitter or Google account allows you to introduce MFA into your login process, switching to services that provide passwordless single sign-on will also empower adoption for more services.”
How does passwordless play with legacy use cases?
Ted Kietzman, a product marketing manager with expertise in bringing passwordless to market, considers how something like virtual private networks fit into a passwordless paradigm: “Most people have logged onto a virtual private network for work. It’s a way that remote access has traditionally worked, and VPNs are now starting to support SAML, which is a protocol that federates the credentials. (...) So you could say, ‘Do we go back and do a lot of work on all these legacy use cases to make passwordless fit those? Or do we expect some of those use cases to start supporting modern protocols and we just optimize passwordless for the modern protocols?
I think you have to look to the future and try to engender adoption of the newer protocols, modern protocols, and really serve those well so it makes the experience really good. And in cases that are really fundamental, maybe you need to support legacy use cases here and there. You build backwards a little bit, but I would say as far as those gaps go, I’m hopeful that those gaps will be filled by those legacy applications or other use cases starting to support modern protocols versus building backwards into the gaps.”
What other milestones are helping evolve passwordless from aspirational to implementable?
Christi Volny emphasizes the importance of standardization, both technically and interpersonally, in helping enable wider adoption: “What started in 2008 as mobile transactions with your fingerprint later were ratified into specs such as FIDO and FIDO2. This gives device vendors, service providers, identity providers, a model to be able to communicate between one another. So rather than every vendor coming up with their own solution of how to perform passwordless, we now have tools like WebAuthn that standardized how you’re going to do passwordless authentication. These are the sort of controls and requirements that are put in place that say, ‘Yeah, I can trust this hardware token to be unbreakable or intractably hard to break into.’ I think like any other time, humans need to talk to other humans or systems to other systems. We need to develop a common framework and language to be able to communicate. And specifications are the ways that we do that in computer technology.”
Who will be most impacted by passwordless?
Nick Steele, Research Lead at Superlunar and co-chair of the WebAuthn Adoption Community Group shares why organizations will be affected first, followed by consumers:
“A lot of new technology seems to go this way. But organizations are already making use of WebAuthn, and there’s already a lot of use in the consumer space. If you use login.gov, which is one of the biggest login portals for the US government right now, they’ve actually begun to use WebAuthn for handling second factor authentication.
More and more consumer-side companies are making it available, because it doesn’t only help the user to have passwordless authentication. It also is compelling for your bank to have better authentications. It’s compelling for services where you losing money will erode trust or prevent you from using their service again. So it’s really a two-way street, right? It doesn’t just benefit the user to have no passwords. It benefits the organization that they’re doing business with to provide better security as well.”
Visions of a Passwordless Future
Wolfgang Goerlich, advisory CISO at Cisco Secure, is excited at the possibility of being the bearer of good news:
“As a security professional, very rarely have I been able to show up and say, ‘Hey, I’m going to make your life better.” Usually I show up and people scramble. Sometimes I hide under desks. It’s a little uncomfortable for them. It's a little uncomfortable for me. But with passwordless, we really are able to do more for them as we’re doing more for the security of the environment.
Now we have to do it in a way that is not just passwordless. It’s not just dropping the password but is also at the same time bolstering the entire authentication, building more trust in the entire authentication. What is glorious about all that is, it’s transparent and invisible to the end user. So we can do more, we can serve people better by the same time, increasing these security properties.”
Ted Kietzman eagerly awaits the passwordless login experience:
“I’m excited about not having to remember passwords anymore. (...) It’s a really annoying thing to feel like I have these passwords, and even me as a security professional, I reuse or add on a word. Maybe I know not to just add on one number at the end, so I’ll add on a phrase or something like that, but my memory only works so well, and I know I'm flawed that way. So not having to remember passwords, not having to have one for here and one for here and then rotate this one and I’ve forgotten and resetting them because I've forgotten. I'm really excited about that.”
Christi Volny imagines how passwordless will allow him to make a bigger impact as a system designer and developer:
“I’m interested in building a safer internet, and this is one of the easy wins that we can accomplish that through. As we know from [the Verizon 2022 Data Breach Investigations Report], over 80% of all computer breaches, passwords are responsible for in part. And so if we can attack that low-hanging fruit and replace it with something more robust, that’s a big win for all of us.”
Parting Ways with Passwords
Our experts agree that passwords aren’t going anywhere for now, but adoption will continue to grow and user experience among a hybrid environment will continue to improve:
Wolfgang Goerlich highlights that there’s a lot of infrastructure and use cases that still require passwords:
“In an ideal world, we say goodbye to passwords altogether. They don’t work. We’ve got six decades of proof of that. But along that way in six decades, we’ve built up a lot of systems, a lot of systems that have passwords, a lot of infrastructure. When organizations go through modernization, they don’t replace everything. There are use cases that will still need passwords into the near future — such as shared accounts, system accounts, service accounts — and so for a variety of reasons, a password is going to persist.
So in the next couple years, what we want to do is look for customer-facing, look for workforce-facing use cases, where we can replace that password, give them a better experience, and reduce the risk of those credentials being stolen while we maintain the hybrid environment into the future.”
Nick Steele reminds us passwordless isn’t necessary for every use case, and rather that passwords can come in handy:
“Local passwords are still fairly secure. And there’s a lot of use cases where having a shared key is actually pretty, pretty useful. I don’t see them going away really anytime soon, especially given the long tail of technology on the internet. But I definitely see more and more people and organizations getting comfortable with the adoption and inclusion of passwordless.”
Ted Kietzman has heard from plenty of customers who are eager to move beyond passwords but acknowledges we need better solutions first:
“The answer today is you can’t (get rid of passwords fully) because there are all these use cases that we don't have great solutions for. In order to get fully rid of passwords, we’re going to need solutions that help us register, transfer trust between devices, and make all of that happen without a password being used to bootstrap trust. Right now, in a lot of cases, you still need a password to bootstrap trust to create a new passwordless credential.
Once you have a new solution that says I can create a passwordless credential from scratch without this trust that was born out of having a password, that will be one key method that will get us to know passwords ever. Another one is if these legacy use cases start supporting modern protocols so that everything speaks SAML, or OIDC, or these cases where passwordless can be used really easily. Until those use cases move into this modern protocol era, or we have a really good solution for the bootstrapping of trust and transferring of trust in the passwordless world, passwords will still be around.”