A World without passwords

Its been now many years for me wondering if passwords have or not become our most precious treasure. I have seen over the years how people store their passwords in paper sheets (that usually get lost or that can be read or be connected to the service requiring the password) or simply use cities and birthdays that are easy to break. So, if passwords are really made to keep our information secure, are they the only way to do it? Shouldn't there be an easier and more secure way for systems and services to do it?

The purpose of this short article is not defining how this can be achieved but rather understand if it resonates with the IT community and ifit is worth a deep dive on this topic.

The Problem:

• 81% of the total number of breaches leveraged stolen or weak passwords – 2020 Verizon Data Breach Investigations Report
• 1 million passwords are stolen every week – 2019 Breach Alarm
• $1.3 million is the average cost of a data breach – 2017 Ponemon Institute Cost of Data Breach Study
• According to Security Magazine, all passwords can be hacked in less than 1 hours if they are shorter than 10 characters (60% average password are equal to or less than eight characters long)
• A recent Gartner study puts the cost of password management at between $70 and $200 per user per year? For a company with 5000 employees, this would mean $1 Million a year just for the passwords!
• Gartner also found that between 20%-50% of all IT help desk calls are for password resets, and range from 2-30 minutes to fix.

As figures indicate, the problem is real and the effect on user experience can be higher. User who face a password related incident experience lost of productivity, fear of potential breach and immediate loyalty disconnection with the service provider.

The Evolution:

Until this point, the business case to re define the role of the password in modern society seems pretty obvious. Many companies, have tried to incorporate new ways to keep passwords more secure but in fact, passwords have not evolved much in the last 60 years.

As stated in Mashable, the first computer password was developed in 1961 at the Massachusetts Institute of Technology (MIT), for the use with Compatible Time-Sharing System (CTSS). This gave rise to the many of basic computing functions we use today. This what used to be called a static password.

Then the Multi-Layered Authentication arrived adding a range of passwords to access accounts, with the false idea of making it harder for hackers to get where users don’t want them.

Thanks to the smart phones, a 2 way factor authentication become very trendy. 2 way factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence usually done via a portable device.

During the early 2010′s many companies decided to move for a e2e integral passwords management and the "single sign on" that promised users the possibility to log into multiple systems, sites from different devices with a single password. Since SSO only utilizes a single credential it often requires very complex single password and it could grant instant access to more than just the endpoint braking the principle of least privilege if hacked.

Recently, very common to many of us, thanks to smart phones, Biometrics arrived using fingerprints, facial recognition and others to identify us as an individual when accessing an account. This is a growing trend and as long as we don’t have a clone our information can be partially safe.

Some advance architectures are working with AI to secure password. We will come later in the article to this topic.

If you are interest in the password evolution, the WEF has a very good article named: "Passwordless Authentication, The next breakthrough in?secure digital transformation" which also covers some of the ideas highlighted in this article.

The Idea:

So, What would happen if we remove the passwords? Would there be less incentives to attack and steal accounts? Will there be a totally new user experience (no user, no password, no typing)?

Can companies make a strong promises to End-users? "User should never have to deal with passwords in their day-to-day lives" & "User credentials cannot be cracked, breached, or phished"

As of today my opinion is that these promises can′t be made. But companies willing to reshape the future of security can.

Gartner on their 2019 article "Embrace a Passwordless Approach to Improve Security" recommends that organizations prioritize assessing and implementing more robust passwordless authentication methods. In doing so, organizations will improve security and user experience.

The WEF brings a good perspective on interoperability which can help standardize the way passwords are managed at the sector level (e.g public sector)

Companies like Microsoft, have indicated that....

"At its core, the fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker" - Microsoft

So what if new technologies such a AI are brought to the equation? What if a system could read and interpret our behavior and if anything is out of the usual automatically act toward the potential threat? What if securing the information moves to the back of the architectures instead of being an user responsibility in the front? AI could work on the back and do deep learning on both user and attackers behaviors. AI could also work together with biometric sensors on the devices to even validate if a smart device is being held like is usually done by the owner.

The idea will be to have access to services, applications and services without even knowing or having a password.

Breakthroughs like Zero-knowledge proof is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information apart from the fact that the statement is indeed true. The essence of zero-knowledge proofs is that it is trivial to prove that one possesses knowledge of certain information by simply revealing it; the challenge is to prove such possession without revealing the information itself or any additional information. This can be extended to behavior and remove the use of passwords.

What are the steps for a world without password?

There is still a long road ahead for such technologies to break trough but the impact could be massive. Becoming a passwordless company or service could unlock value but it will require new systems architectures, new user experiences, standardization and change management.... its been 50 years now of a world with passwords so removing them could take time.

Companies thinking on moving on this directions can follow these steps based on Microsoft approach:

1. Replace passwords with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes. e.g AI behavior
2. Upgrade all experiences related to the entire life-cycle of a user’s identity and ensure these work with password-replacements (#1). e.g remove the "new password, change password" options
3. Simulate a passwordless environment
4. Eliminate passwords from the identity directory of all systems

---------------------------------------------------------------------------------------------------------------

References:

(Main references from which this article was inspired)

1.https://www.microsoft.com/en-us/security/business/identity/passwordless

2.https://www3.weforum.org/docs/WEF_Passwordless_Authentication.pdf

3.https://www.gartner.com/smarterwithgartner/embrace-a-passwordless-approach-to-improve-security/