No Passwords Required? The Trends of Non-Password Authentication
In the past we’ve talked quite a bit about authentication and what different forms of authentication are required from the user in order to access an application or a device. While authentication factors generally come in three categories and consist of knowledge factors (things we know like a username or a password), possession factors (credentials in physical possession, typically a security token), and inherence factors (identifiable biometric characteristics like irises or fingerprints), if you ask any random passerby what they think of when they think of “privacy” or “security” and at least one of the answers is sure to be related to passwords. As a general rule, whether it’s single-factor, two-factor, or multi-factor authentication, most forms of authentication have traditionally required a username and a password as their primary security factor. That’s because we’ve been conditioned to think that a good password is the key to good security. These ideas are changing, and we’ve even written a blog post regarding what a truly “strong” password is.
The real trend now seems to be a new form of authentication called “non-password authentication.” The idea may baffle people, as we’ve been taught to believe that as long as we remember our passwords and do not reveal them to others, our data will be safe. However, we know now with the advanced hacking and breach methods that hackers employ, a fifteen-character jumble of numbers and characters is an easy hurdle to jump for getting to valuable data. With brute force attacks, a password can be figured out in hours, or sometimes even minutes, regardless of how cryptic you attempt to make it.
While it may be difficult to think of a world without the ever-present fields for “username” and “password” on every login page, most Web users probably already employ some non-password authentication methods. Some of the most common ones are smart cards, biometrics, or an OTP or one-time password (though this may be semi-classified into password authentication).
Noteworthy companies are also starting to realize that passwords are quickly becoming obsolete, and are beginning to look to the once secondary factors in MFA: possession and inherence, with a big pull towards the latter. Microsoft recently rolled out a biometric sign-in for their Windows 10 business and enterprise users, and there are talks of integrating it into all of their models. Apple has had “Touch ID” fingerprint biometric authentication since 2013, and in September 2017 announced that it would begin utilizing “Face ID,” a facial recognition authentication method.
While it may not be the smartest idea to utilize everything and anything when it comes to new and trendy authentication methods, there’s no doubt about it that traditional methods aren’t quite cutting it anymore. However, if you or your organization decides to head towards the trend of non-password authentication, keep in mind that though passwords are being phased out, the age-old need for more than two factors still exists. Look for platforms and applications that have a background in traditional security approaches and are applying those solutions to current-day issues. Companies still need to consider the best ways to implement comprehensive security over the pure hype of biometric authentication. Choosing to transition towards biometric authentication however, will hopefully ensure that you won’t have to remember any passwords ever again, and that you’ll also rest a little bit easier at night knowing your information will remain safe.