This article originally appeared in The Tennessean.
“There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.” — Bill Gates, 2004
I remember when I was a kid, we were told that we needed to learn the metric system because it was only a matter of time until our Americanized method of measurements of inches, yards, miles and pounds would face its demise.
This prediction made sense at the time. Other than the United States, Liberia, and Burma, the rest of the world was already metric. And the logic of using decimal-based conversions and easy-to-understand terminology was much simpler than trying to convert miles to feet or tons to pounds.
Bill Gates’ prediction of the death of the password as the primary method of securing computer systems also made sense at the time.
For a password to be secure it must be complex (hard to guess), unique across multiple systems, changed every 90 days, never shared with anyone else, and never posted on a sticky note next to your computer. These requirements are so cumbersome that most of us simply cannot comply with them.
And even when users do comply, hackers can simply use phishing attacks to trick users into giving up their passwords voluntarily.
With the proliferation of social media platforms, e-commerce, cloud applications and smartphones, these security risks around passwords have given hackers a bigger target than ever before. Over 80% of all hacks are password-related, and there are an estimated 158 passwords being hacked every second of every day across the world. Passwords — just like inches, feet, yards, and pounds — should have died off long ago.
Despite its impressive staying power, our reliance on password-based security is finally beginning to fade. It’s taken longer than Gates and many other tech leaders predicted, but “password-less authentication” systems are gaining traction.
So, what is password-less authentication?
Unlocking the door to your car and turning the ignition switch requires users to have a physical key. Some cars use old-school keys, while some more modern ones use key fobs. In either case, without the key a car is useless.
Password-less authentication uses a similar concept. Instead of requiring the user to remember a secret to gain access to a computer system, software application or website, a password-less login requires users to have a “digital key.”
Digital keys work much in the same way physical keys do, but they have some extra features that make them more secure. They will not only let you in, but digital keys will also identify who you are. And unlike a car key, they can be revoked anytime.
Digital keys that replace the need for traditional “user name/password” logins are already available in many forms. For web-based applications they often come in the form of an encrypted file on your computer. Other platforms use biometric data (like your fingerprint) or an app on your smartphone to grant you access.
Most of the security experts in the world are all-in on going password-less. It’s more secure, simpler for users, easier for IT departments to manage, and the technology to implement is already available.
But despite its clear advantages, just like the metric system, it’s been hard to get it to catch on.
The primary cause for the slow adoption is the sheer expense of making the change, especially for larger companies. This is a valid barrier, since the upfront investment is significant. But as we see in the news every day — with everything from gas supply lines to major retailers to government databases getting hacked — the cost of staying with the status quo is high as well.
The metric system ultimately failed to catch on in the United States despite its clear advantages. Here’s hoping that password-less authentication will go the extra kilometer, I mean, mile.