Each month, our partner Yubico hosts YubiChat, a Twitter conversation where tech companies talk shop about an information security-related topic. When we learned this month's topic — The Passwordless Future is Here: Are You Ready? — you know Duo was eager to get involved. Here's how it went:
What are some pressing pain points that organizations and consumers face when using the standard username and password login?
One of the biggest challenges with passwords is the burden of choosing strong, unique passwords for each site, and then remembering them. Using a password manager can help, but many of these cost money and can be cumbersome to use for non-technical people. Also, passwords rely on sharing a secret with the site, which can be stolen. The industry needs a standard way for people to securely log in without passwords.
What other costs or resources are associated with issuing and managing employee credentials?
Managing employee passwords is an ever-present challenge. For example, enforcing password strength requirements is an area that many organizations struggle with. They try to balance the support costs of resetting passwords with security, which can be tough. Also, many organizations force users to change passwords frequently, which is counterproductive to good password hygiene.
What systems or processes are companies currently using to correct poor password hygiene among employees, and to what extent are they successful?
Recently, the practice of checking passwords against known breached credential lists has become more common, due in part to updated authentication guidance from NIST. This helps to prevent password reuse with known breached credentials. Although effective, this can have privacy and security implications, especially if the password or password hash is sent to a third-party.
What specific use cases or industries could benefit from the simplicity of a secure, #passwordless login experience?
Just about every use case or industry that we can think of! If there’s a site or app that uses passwords now, they could benefit from offering a secure, passwordless login experience.
Which online services and applications would you like to see support the #FIDO2 standard for strong authentication?
Any site that allows users to log in or sign up for an account.
How would you like the see the future of #passwordless login evolve?
We’d like to see more sites begin to support passwordless login via WebAuthn and FIDO2 in the coming months. It will take time to get users to switch and feel comfortable with the new login experience, but eventually we’ll dramatically reduce the use of passwords on the web.