The future of passwordless authentication | What is the tech world up to in this aspect?

Passwords do not need an explanation. If you are here, you must have been through entering a used ID and password sometime in the past. It could be the password for your user account or anything else. Remembering passwords is not overwhelming for most tech-savvy users, but you can’t deny it is an extra headache. This is mainly because passwords are the simplest form of security that you can think of. Even though this is the simplest form of security, it is still a big deal for the seniors around us who have lately adopted tech. 

In the early days of computing, when the keyboard was the only significant input device, passwords seemed to be a revolutionary way to ensure privacy. Even today, the most straightforward computer will have a keyboard to send inputs and a mouse to point to items on the screen. That said, to ensure privacy, a password or a PIN is the only security solution that fits all sizes. But with convenience, passwords have their limitations. I will discuss a few of them later in this article. But let’s talk a bit about passwordless authentication. 

Password-less authentication in brief

You already have the idea from the name itself. Authentication refers to proving you are the authentic person to gain access to a website, portal, or similar service. So, if you prove your identity through something other than a password, it is an example of password-less authentication. 

But it’s almost since the inception of computers and security that a password is one of the most reliable methods to ensure privacy, and even some high-end systems still use additional factor authentication only after the password is entered. So, what’s wrong with traditional passwords? Before proceeding with some instances of password-less authentication, I will talk about the limitations and challenges and what the tech giants are up to.

The problem with passwords

Let’s start with why we need password-less authentication or the problems with traditional passwords.

Problems remembering

No matter what, security experts recommend setting complex yet unique passwords for all online portals. It simply ensures other websites are away from attacks if your password is leaked in a data breach. However, with users registering for new portals passing cars on a highway, it can become challenging to remember passwords. For tech-savvy users like us, we can create a logic to remember the passwords, which also has risks. Think of others who must click the ‘Forgot password’ button link whenever they need to log in.

Security risks

Even though passwords are a private set of characters used for authentication, you can’t deny that they can be guessed. Data says most people use passwords like 12345, pass@1234, or similar easy combinations. While these are easy to remember, they can also be guessed easily. This poses serious security risks and demeans the whole concept of passwords. 

Phishing attacks and keyloggers

If you see a website or online portal that looks similar to the one you use every day, but something is off, double-check the URL because it can be a phishing website to mine your credentials. Even if things are the same, checking the URL closely must be essential. Phishing attacks can steal your passwords, no matter how tough it is to remember or guess. You might later be redirected and logged in to the original website without knowing your password. It is now going to sell like hot cake on the dark web. 

If you log in to a website using somebody else’s computer, there is a risk of a keylogger recording your keystrokes, including your password. Virtual keyboards can restrict keyloggers, but a hidden screen-recording utility can do the trick. Most people are unaware of virtual keyboards, partly because pressing the keys to enter a password is more convenient.

So, there are some severe problems with passwords. However, most of them can be sorted out in other ways.

Passwordless authentication options

I already discussed why traditional passwords are so common and convenient. You can authenticate on your favorite online portal or get web access from any device, as you need a keyboard to enter the password. Let’s have a look at some other solutions.

Use of one-time passwords

Nowadays, most websites offer multi-factor authentication, where the user needs to enter a one-time password sent through SMS or email after entering the password. It is possible to erase the passwords and use only the OTP for login purposes. However, login attempts can fail in remote areas with poor connectivity.

The solution can be to use apps like Authenticator that generate Time-based OTPs or TOTPs that will work regardless of whether you are connected. If you think you always need to carry your phone to log in if you use TOTP-based authentication, you are wrong. Similar apps and browser extensions are also available, and you can get the same OTP on multiple apps through proper setup.

SMS or email-based OTPs can also be used with TOTPs for more secure login without using passwords for authentication.

Biometrics

Passwords can be guessed, and OTPs can be stolen if you are unaware, but it’s tough to steal your biometrics, as it is primarily out of your control and can lead to unique authentication. By using your fingerprint, iris image, voice, and face for authentication, you will never need to enter passwords and seamlessly register and log in to as many services as you want with zero-memory overload and almost instantly, or at least faster than entering passwords or PINs.

While most laptops and budget smartphones nowadays come with fingerprint sensors, tech companies can adopt this and make fingerprint authentication a standard. However, if other biometric data is used, specialized hardware and software will be required, and saving the images will require additional space, which might restrict most small companies from adapting to other modes of biometrics.

Physical security keys and tokens

What if you could carry your passwords with you just like you carry your door keys? Yes, it is possible, and most web services like Google allow you to set up physical security that you can use to log in to your account. However, you should be careful with your physical keys for reasons I don’t need to explain.

Magic Links

When logging in, users will get a magic link through email or SMS that will lead to a page asking for details from the user to authenticate. For example, when logging in, the user will see a number, and the same number must be entered on the landing page of the magic link to authenticate. However, just like OTPs, the user must be in a connected environment, as the user must get the link through SMS or email before proceeding with the login process.

Device Biometrics

With device-based biometrics, the user must access the portal from a specific device or at least have access to a particular device to log in. But in this era, when users change their smartphones and laptops so frequently, they may face difficulties discarding old devices to start using the new ones. Logging in can be a severe problem, even if a device is stolen. So, those were some of the solutions if the world wants to be passwordless.

However, going passwordless will not be devoid of challenges. Some must be addressed before the transition to passwordless technology becomes smooth.

Challenges in implementation

It doesn’t mean there are no challenges in implementing password-less authentication. Here are some

Implementation challenges

It is excellent to explore options. However, it can be equally difficult for the developers to implement or integrate a new system with an existing one. Based on the internals, some systems will need a massive overhaul to integrate and enforce passwordless authentication tools across multiple devices. For example, a computer must have a fingerprint sensor or a webcam to register and scan fingerprints and faces before you can access a system. This can be a problem for computers that run on minimum peripherals.

Users might find it difficult.

As I just discussed, the requirement of new hardware or changes in the everyday login method might impact users’ productivity, and they might find it regressive. So, user acceptance is again something that will be a real challenge, as it is not just the companies who need to invest in the technology. Still, the users, too, need to invest in new hardware that might seem to be an unnecessary investment for most.

However, that doesn’t mean the door to passwordless technology is locked forever. Adoption of passwordless technology should be gradual, and a complete takeover might take a decade. 

Most tech giants are trying to implement various methods of passwordless authentication as an additional factor besides using passwords, most likely to check how well the users are adapting to it. However, companies must try other cool ways to authenticate and let passwords sleep well in history books, letting the next generation know about the good old days.

So, that’s all about passwordless technology. Do you have anything to say? Feel free to comment below.