- Docking of Jira and SAP systems to make enterprise IT more agile
- Brief overview of our article on swissmadesoftware.org
Is the era of passwords and password managers coming to an end?
Throughout last year we heard the new buzzword "passwordless" everywhere.
Will passwords soon become a thing of the past and we'll enter a new world where we don't have to think of passwords, remember them or store them securely?
Let's take a closer look and find out if this is really the case.
Let's start with the basics. What is the new passwordless technology?
To be honest, the new passwordless tech based on passkeys is nothing more than good old public key (asymmetric) cryptography: the public key is stored at the service side and the private key stays on your device. The private key is never sent and is used to verify authentication challenges from the service.
The strong points we should admit about passkeys is that they are deemed to be always strong and phishing-resistant.
Leading the way to passwordless authentication is the FIDO Alliance, which is “an open industry association with a focused mission: reduce the world’s reliance on passwords”. The Alliance's efforts are aimed at improving the user authentication experience.
Currently, the FIDO’s passwordless authentication via passkeys is available for Windows, macOS, Android, iOS, Chrome, Edge, Safari. Major online services such as Apple, Google, Microsoft, Amazon, PayPal, Adobe, etc. offer login with passkeys.
Of course, these are pioneers, and there is still a long way to go before widespread adoption, especially given the fact that at the moment the technology is still developing and lacks cross-platform functionality. As a result, users will have to create several passkeys for different devices to log in, which will make the transition to passwordless for many burdensome and therefore half-baked.
To be fair, we note that passkeys can be stored on YubiKey and, with some restrictions, in some password managers, which improves the cross-platform user experience.
So, when is our digital world going passwordless?
Unfortunately, not as soon as passwordless enthusiasts hope. And here's why.
Let's take a look at some authentication statistics.
According to the FIDO survey, password-only authentication is still prevailing (more than 30% of respondents log into their work computers and accounts using this approach!). It is also noteworthy that the average user has to manually enter a password about 4 times a day.
Preferred ways of signing-in to online accounts, apps and smart devices: 27% biometrics, 17% unique complex password, 14% one-time passcode, 8% password manager, 4% physical security key.
The average person abandons a purchase or gives up accessing an online service because they couldn’t remember their password almost 4 times per month. This number, as well as the number of manual password inputs per day, can easily be explained by the low adoption rate of password managers among respondents.
So far, the top chart of authentication methods for organisations looks like: passwords (76%) and multi-factor authentication (MFA) (43%), one-time passcodes (33%) and single sign-on (SSO) technologies (27%). However, 92% plan to increase their use of passwordless technology in the future.
According to respondents, passwordless authentication will reduce non-passwordless MFA offerings (50%), the need for SSO (48%) and the need for privileged access management (46%). Although it’s not yet clear to what extent.
89% of IT decision makers surveyed expect their organisations to use passwords for less than 25% of logins within five years. On average, nearly one-third of organisations plan to adopt, or use/continue to use passwordless authentication in the next 1-3 years.
39% of IT decision makers admit that users are reluctant to make the switch and 49% say the applications they’re using are not designed to go passwordless.
Despite all the stir in media, the completely passwordless future seems unrealistic. But the digital world is slowly but surely moving towards it.
So what about passwords and password managers and their place in the “passwordless” future?
They're here to stay, so don't rush to cancel your password manager subscription.
The main disadvantage of passwords compared to passkeys is that they are stored (normally, not just in plain text, but obfuscated) on service servers and can be leaked (if decrypted) in the event of a data breach. In this case, checking passwords against the database of leaked credentials can help. Our password manager PassSecurium™ has this feature.
Passkeys are also considered phishing-proof, but if you use a password manager, you can also reduce the risk of visiting a phishing website by storing a link to the legitimate site in it and following the legitimate link from the password manager.
In general, users can dramatically reduce the cyber risks associated with passwords by using a password manager and enabling 2FA/MFA where it's impossible to use passkeys.
Moreover, password managers can store far more data than just your login/password pairs, e.g. credit cards, bank accounts, all kinds of customer cards and IDs, server access, email settings, you can also attach files to your records and make secure notes.
In terms of cross-platform and multi-user credential sharing, especially for businesses, the password manager approach still seems to be the more acceptable and convenient solution.
And gradually, password manager developers are adding the function of storing passkeys to their products (we are also keeping this idea in mind and in our future plans).
What can we say in conclusion?
Apparently, a complete transition to passwordless authentication is not expected in the foreseeable future.
Passkeys and their use are a hot topic, but it is too early to say how much hype is involved. While the technology is still new and claims to be the most secure and phishing-resistant authentication method, we should remember that cybersecurity is always an arms race with hackers. There is reason to believe that in the near future we will see the first attempts to attack, bypass or exploit passwordless technologies.
Gradually, services and applications will be switching to passwordless authentication - and this is good news. But many services are not as agile, and are likely to continue to use legacy approaches for a long time.
Where possible, use passkeys, but where you still use passwords, we urge you to follow password management best practices (including using a password manager such as PassSecurium™).
Password managers, including our own product, are diversifying and adapting so that they will still have a place and be needed even in a passwordless future.
Online Authentication Barometer – survey by FIDO