Will We Ever Get Rid of Passwords?

It seems every week I receive spam emails appearing to come from friends of mine. It is immediately clear they were hacked. How did they get hacked? By having a weak password like the example in the picture above. The top 25 passwords revealed through a study show similar examples like abcd1234, the person’s birthday, their street address, and other easy to guess passwords. 

Every year at our country club in Florida, I give a lecture about security, passwords, password managers, having long alphanumeric passwords with upper and lower case, numbers, and special characters, and other best practices. I cannot say my tips on the subject are acted on. It is understandable. Having, managing, and using strong passwords is a pain. Fortunately, there is relief in site. Fairly soon, we will no longer need passwords at all.

It is not just casual observers or victims of weak passwords who are aware of the problem. Apple, Google and Microsoft, the largest players in the tech space, have been working on alternatives to passwords for years. The big three and others have finally reached consensus to get rid of passwords altogether. They have devised a completely new approach for users to log in to their accounts. If the majority of users had good password habits, such a radical change would not be needed, but the tech industry has thrown in the towel. The strain on tech support has grown. Bye bye passwords.

Apple, Microsoft and Google made a joint announcement last week they are collaborating and have committed significant resources to create an entirely new system for passwordless sign-in. Passwordless will become a new word in user vocabularies before the year is over. It will initially be the big three, but I expect all websites will follow over the next couple of years if not sooner. 

The simple explanation of the new approach is a change from what we know (our passwords) to what we have (our smartphones). The idea would not have been practical ten years ago, but now the landscape is different. Industry estimates are the number of people who own a smartphone is 7.26 Billion, making up 91.54% of the world’s population.  

Here is how it will work. You visit a website. Instead of entering an ID and password, you will open your smartphone. You authenticate on the phone by using your fingerprint or faceprint (the vast majority), a PIN, or a pattern you draw on the screen. The smartphone then shares an encrypted passkey with the website. No user passwords. Instead, it will be the device you have authenticated. The website is happy and you will be too. 

No system is perfect but the new passwordless world will be a vast improvement. The industry has agreed on a standard called FIDO, Fast Identity Online, which the FIDO Alliance will be making available to all websites. Your smartphone will store a unique FIDO-compliant passkey which will be shared with a websites for authentication only when your phone is unlocked. The passkey will be stored in your preferred cloud so it can easily be synced to a new device in case you lose you phone or get a new one. Passwordless.