The future of verification is passwordless

Padlock against circuit board/cybersecurity background
(Image credit: Future)

Only a select few tech companies move the needle quite like Google. It sent ripples reverberating through the marketing and advertising sectors when the tech giant signaled the end of third-party cookies and now, (with its decision to go passwordless by default), it’s only a matter of time until others follow their lead.

But it begs the question: why have we all been using passwords for so long anyway?

With cyber criminals becoming more sophisticated by the day, it is imperative for businesses and users alike to reevaluate their attitudes towards online security. Just because passwords have been the standard for as long as they have, that’s no reason to continue relying on such an insecure and bothersome form of verification. The time has come for a shift towards passwordless authentication and decentralized identities (DID), not only to mitigate risks, but also to (improve users’ experience and foster lasting loyalty).

David Ranson

Head of Identity and Access Management, Enterprise & Cyber Security at Fujitsu UK&I.

The slew of alternatives

Both passwordless logins and decentralized identity have been gaining traction in recent years and not just with Google; Microsoft and Apple have both made strides of their own with passkeys. The increased targeting of users through phishing attacks and credential theft has made protecting their information all the more critical, and relying on passwords that people so easily reuse and forget is not an adequate layer of defense.

This has coincided with the increased use and awareness of blockchain and distributed ledger technology (DLT), giving rise to decentralized identities (DID) which rely on both. By storing people’s details on a distributed ledger, they can be used to prove one's identity to others without having to share any personal information. For example a DID could be used to prove one’s age without having to share an actual date of birth. This gives users more control over their personal details and can allow them to verify aspects of their identity without needing to actually share evidence, reducing fraud risks and friction for users of digital services.

Beyond these, other forms of passwordless authentication that have been gaining popularity in recent years should eventually become the norm: think biometrics, one-time passwords and authenticator applications - or multiple in concert. Fingerprints and facial features are far more unique than strings of letters and numbers and device-based logins require a prospective criminal to steal somebody’s phone as well as their credentials.

Speed bumps on the passwordless road

The benefits of ditching passwords are clear but there are hurdles that businesses will need to overcome, if they want to take advantage.

The first is the proliferation of legacy systems. Many companies still rely on old technology and platforms that may not be set up to work with passwordless authentication techniques. While applications can be modified to work, some may be more expensive to adapt than others and when this is multiplied across numerous interconnected platforms, the costs can balloon quickly. Some may even need to acquire new hardware and software, requiring additional outlay.

There are other barriers to entry posed by existing estates, too. There’s no one-size-fits-all solution that will work with every technology estate, device mix and range of business use- cases. As a result, it can be difficult for a company to go passwordless without a strategic partner that can take care of the implementation phases.

Finally, while passwordless authentication can make the customer experience smoother, communicating this to users can be a challenge. People are always most comfortable with what’s familiar, and such a radical change to the way they access systems can be confronting - even when the benefits are obvious.

However, although these challenges are largely unavoidable, the benefits organizations can enjoy by navigating them outweigh the work needed to eliminate passwords.

Elevating businesses and customers’ experiences

From a security perspective, getting rid of passwords takes the sting out of phishing attacks and credential stuffing. As people often reuse login details for multiple platforms, there’s always the risk that a customer’s information that was stolen from one breached system can be used to access another of their accounts. If passwords are the primary mode of authentication, that is.

And as expensive as it can be to make the transition, this expenditure can be counterbalanced by cost-savings on the back-end. Account recovery processes and password resets all require time and money, resources that organizations can get back when they’re no longer necessary.

For customers the most obvious benefit is a more convenient user experience, freed from having to remember and input different logins for the range of platforms they interact with everyday. Plus, they will be able to get into their accounts faster - there’s a reason most people opt for a fingerprint scan or facial recognition as the default to unlock their smartphone.

Making the leap

The steps to going passwordless are not dissimilar from any other digital transformation project. First, organizations need to determine which path they want to go down and that will require tapping into customer insights. Will they be comfortable providing biometric data? How amenable are they to linking certain devices to their account? What devices are they using exactly?

The answers to these questions will help to define the sort of passwordless login that makes the most sense. Ultimately, customers’ preferences need to be at the core of the decision. Then comes the testing phase, which again links back to optimising customers’ experiences. With a fear of change already one of the barriers to wider adoption, the last thing a company needs is a botched roll-out that sends their users running to a competitor.

Where Google goes, the tech industry usually follows and it’s only a matter of time before passwords go the way of third-party cookies.

We've featured the best privacy tools and anonymous browsers.

David Ranson is the Head of Identity and Access Management, Enterprise & Cyber Security at Fujitsu UK&I.