Some people can’t stop talking about the death of the password. Passwords are old, insecure, and easily leaked. Soon, we’ll all be using biometrics, hardware security keys, and other futuristic solutions—right? Well, not so fast.
We spoke to 1Password’s chief of security, Jeffery Goldberg, who said he’s, “cautiously optimistic that this time we might see a dent in the password problem.”
That’s the optimistic take—and it’s far from the death of passwords.
Why People Want to Kill the Password
When discussing the company’s goal of “Building a world without passwords,” back in May 2018, Microsoft’s Security Team wrote:
“Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that we’ve been busy at work trying to create a world without them—a world without passwords.”
Passwords have become more annoying over time, and we’ve all become wise to the risks of reusing one. If you use the same password on multiple sites and there’s a password leak, yours can be used to access your account on another website. So, you need to choose a strong, unique password for each service you use. Gone are the days of reusing a short, simple password on a handful of websites.
For most people who don’t have superhuman memories, it’s impossible to remember a strong, unique password for every online account. That’s why we recommend password managers—they remember all those strong, unique passwords for you. You just have to remember your master password which is much easier than remembering 100, and much more secure than reusing the same one.
Even with a password manager, though, this isn’t completely secure. Someone with a keylogger on your system could capture your password and log in as you. This is why services add additional security. We often type a password and then have to authenticate a second time with a code or key.
Is there a better way?
What Could Replace the Password?
Goldberg said he’s seen “scheme after scheme” proposed to kill passwords over the last twenty years—many of which didn’t learn from what had failed in the past. But newer ones might have a better chance of succeeding due to advances like more powerful local devices.
Biometrics can replace a password. You might use Touch or Face ID (biometrics) to log in to your iPhone instead of typing a PIN. Android phones have fingerprint and face login features, too.
You can also now create “passwordless” Microsoft accounts to sign in to Windows. Your username is your phone number, and the “password” you type is a code sent to your phone number via SMS.
You can also use a physical security key instead of a password to authenticate your online accounts. You keep the key with you (you can even keep it on your keychain) and use it via USB, NFC, or Bluetooth when it’s time to sign in.
Phones can replace passwords, too. Google now lets Android devices function as FIDO2 keys. You might also have to authenticate with a fingerprint on your phone when signing in to a website on your laptop.
Many companies try to reduce the reliance on passwords by offering “single sign-in” providers. This is when you sign in to Facebook, Google, etc., and then use that account to sign in to other services—no additional passwords necessary.
Password “Replacements” Don’t Replace Passwords
There’s a big problem here, though. Technologies touted as password “replacements” aren’t actually replacements—at least, not yet.
Biometrics, like Face or Touch ID, still require both a passcode and an Apple ID password on your device. Some tasks require a PIN for background encryption purposes, too. Biometric features on Android and Windows Hello on Windows 10 work the same way—basically, as a convenience feature. It’s easier to sign in to your device because you don’t have to type a password each time, but it doesn’t replace your password.
A passwordless account that sends phone codes to you isn’t great, either. Rather than one password for your account, this service generates a new one each time you try to sign in and sends it to you via SMS. This is less secure than the traditional method of a single password plus a security code sent to you when you sign in.
Unfortunately, attackers easily steal phone numbers in many situations, which makes this less secure. It’s a great method to reach people in countries where phone numbers are ubiquitous, and it reduces the friction of signing up for an account, which is why Amazon offers this, too. But it’s not a good solution to replace passwords.
Most services that have adopted physical security keys use them as an additional authentication option. You still sign in with your password, and then provide the security key as a secondary confirmation to get in. The ability to use a key without a password is still a long way off.
There’s a privacy problem with single sign-on services, too. When you click “Sign in With Google” or “Sign in With Facebook,” the service operator—Google or Facebook—knows what you’re signing in to.
There Will Always Be Passwords (in the Background)
Even if Google’s dream of replacing passwords with phones comes to fruition, it won’t eliminate the password. The Verge summarized Google’s plans this way: “If you’re already signed in to your phone, then this could be used to ‘bootstrap’ the next device that you want to sign in to your Google account.”
You might avoid using your password for a long time, but it’s still there in the background. After all, you’ll need it if you lose all your devices.
Passwords are still widespread. They’re easy to set up and use. Password “replacements” offer more convenience or extra security. But you’ll always need a way to regain access if you lose your device and can’t use your biometrics or hardware security.
“I think there are always going to be edge cases that require passwords,” said 1Password’s chief operating officer Matt Davey. For example, Sign in With Apple in iOS 13 offers a web-based sign-in option that uses your Apple ID password when you sign in on a non-Apple device. A password works everywhere and is the universal default when fancy biometrics or hardware security features aren’t available.
As Goldberg said, “Passwords are just really, really easy” for websites to implement. “They’re still the most straightforward thing for service operators to use.”
That’s why 1Password is bullish on the future of password managers. The company said it had seen more new users even as competition grows, and companies like Apple, Google, and Mozilla get more serious about password management.
What Does the Future Hold?
The dream of killing the password is a long way off. Even if the process goes well, the best-case scenario is we’ll inch forward slowly, with more easy alternatives to passwords.
Someday, passwords might be so relegated to the background that they’ll be a long-forgotten account recovery method. But they’ll probably be around for a long time to come. The battle to banish them from daily use for the majority of people will be long and hard-fought. But killing passwords entirely? That’s even harder to imagine.
This was originally posted by Chris Hoffman for HowtoGeek.