Why the Future Is Passwordless (and How to Get Started)
Tired of remembering or managing long lists of passwords? Good news: the future is passwordless. You might even be able to go passwordless (or near-enough) for some services you already use right now.
What Does “Passwordless” Mean?
A passwordless login removes the need to provide a password, whether it’s one that you remember or keep track of in a password manager. You’ll still need to remember an identifier like a username or an email address, but you’ll prove your identity through some other means.
There are varying degrees of passwordless implementations. The end goal for many is to remove passwords altogether, which would mean it isn’t possible to log in with a password at all. Some approaches that are already in place allow you to log in with a password as an option, while still allowing you to verify your identity using other means.
To get rid of passwords, different methods are called upon to verify you are who you say you are. This may be a mobile authenticator app that only you have access to, biometrics like a fingerprint or facial scan, a physical real-world device like a keycard or USB stick, or less secure approaches like SMS or email codes.
You may be required to use more than one method to prove your identity. Two-factor authentication has demonstrated the importance of a multi-pronged approach and depending on the approach adopted by whatever service you’re trying to gain access to, that may still be true in the passwordless future.
Strides have been made in the deployment of passwordless logins thanks to new standards like Web Authentication (WebAuthn). This approach removes the need for biometric data like fingerprint records or facial likenesses to be stored on a central server, which could have devastating security impacts that even a password breach can’t match.
Web Authentication allows sensitive data to remain on your device, while only a key is sent to the server. Verification takes place locally on your device, which is then verified using a public key on the server. This removes the need to protect secret information on a server (like a password) since the secret only needs to exist on your local device.
RELATED: Why You Shouldn’t Use SMS for Two-Factor Authentication (and What to Use Instead)
What Benefits Are There to Going Passwordless?
One of the biggest benefits of going passwordless is simplicity. While most people have already adjusted to using password managers, there are still some passwords (like master passwords) that need to be kept in your head. You can’t store the database password in the database that contains your passwords, after all.
By going passwordless you can instead verify your identity without having to remember anything. You may need to authenticate with a mobile app or scan your face or fingerprint, and that’s it.
Not everyone uses a password manager, even though they should. Some still rely on the “little black book” approach, while others don’t use unique passwords for every new service they sign up for. While some services require two-factor authentication, many do not.
Take a look at Have I Been Pwned to see how many data breaches have been associated with your email address and you’ll quickly see why so many are desperate to rid the world of passwords.
By removing passwords entirely, you remove a point of weakness in account security. This isn’t going to take place overnight, and it will take time for many to come to terms with a future that uses alternative methods of verification. The business world is already adopting solutions like YubiKey since the costs associated with password breaches can be so great.
Professional Security Key
This cost doesn’t always mean money, either. Many services, like banks and pension funds, require that you process password resets over the phone or even by mail. This takes up time for both the bank and the customer. Passwordless solutions won’t always be free of friction, but they place less emphasis on the end-user to remember or protect an arbitrary string of numbers, symbols, and letters.
RELATED: How to Secure Your Accounts With a U2F Key or YubiKey
Which Services Let You Go Passwordless?
At the time of writing in November 2021, only Microsoft allows you to go fully passwordless. This means you can remove your password from your account entirely and use Microsoft’s services including Xbox, Microsoft 365, and Windows without having to type or paste a password.
You can do this by downloading the Microsoft Authenticator app for Android or iOS, then logging into your Microsoft account in a web browser. Once logged in, select “Advanced Security Options” then scroll down to Additional security and click “Turn on” next to the option for a Passwordless account.
As part of the process you will be invited to save some backup codes which you can use to log in to your Microsoft account should you lose access to the Microsoft Authenticator app. You can always revisit Microsoft’s security options website and turn off the feature, which restores password login to your account at a later date.
Google is also moving towards a passwordless future, with the company announcing in May 2021 that it is “creating a future where one day you won’t need a password at all.” If you have an Android device you can use your smartphone to log in on the web, simply log in to your Google Account, tap “Security” then select “Set It Up” next to Use Your Phone to Sign in.
Apple has also made moves in implementing passwordless logins across the web in Safari with iOS 15 and macOS 12, released in late 2021. The new “passkeys in iCloud Keychain” feature is now present for developers to begin testing, though nothing is ready or accessible in consumer builds as of yet.
Apple’s Garret Davidson explained at a WWDC 2021 session how its approach leverages WebAuthn using a pair of public and private keys:
With public/private key pairs, instead of a password, your device creates a pair of keys. One of these keys is public; just as public as your username. It can be shared with anyone and everyone, and is not a secret. The other key is private … when you create an account, your device generates these two associated keys. It then shares the public key with the server.
Now, the server has a copy of the public key … the private key stays on your device, and only that device is responsible for protecting it. Later, when you want to sign in, you don’t send the server anything secret. Instead you prove that it’s your account by proving that your device knows the private key associated with your account’s public key.
In plain English: your device uses the public key to verify, locally on your device, that you are who you say you are by way of “signing.” Since only your private key can produce a valid signature, only a device that knows your private key can pass the test. The server then checks your signature against the public key and decides whether to grant you access.
This is a basic overview of how WebAuthn works, and how Apple intends to use it to replace passwords on its devices when combined with technologies like facial recognition and fingerprint scans.
You can already turn off password requirements for Apple Pay payments, device logins, and App Store downloads on your iPhone, iPad, and Mac but this takes the same approach a step further and extends it to other services.
A Passwordless Approach Isn’t Perfect
No solution is perfect, hack-proof, or entirely foolproof. You could lose access to a device, or leave something logged in that could put your accounts at risk. Even Face ID and Touch ID can be exploited on sleeping or unconscious individuals, or by creating lifelike facsimiles of the biometric data they are looking for.
Perhaps the greatest hurdle will be adoption, and convincing most people that they are better off letting go of their passwords in favor of a new way of doing things.
But an imperfect solution is no reason to throw it out altogether. Passwords are outdated and impractical, and it’s time to move on. Two-factor authentication isn’t perfect either, but there are reasons why companies like Apple (and soon Google) mandate it.
The same goes for password managers. Learn why using your web browser as a password manager might be a bad idea.