Despise passwords? Some good news and bad news

How much do you hate passwords? In simpler times, they were a necessary nuisance, but with more than 15 billion breached credentials now running around the dark web, maintaining good password hygiene has become a science project.

Most experts now recommend constructing passwords out of a minimum of 12 random characters and never reusing the same one across more than one site. Since remembering all that is beyond the scope of most humans, a variety of password managers are available to help, with most of them protected by—you guessed it—passwords.

No one hates passwords more than the website operators that require them. A recent survey of over 1,000 consumers by passwordless startup Beyond Identity found that two-thirds said the need to create new passwords had stopped them from creating accounts, and three-quarters have abandoned shopping carts due to password reset issues.

What if we could get rid of passwords altogether? The good news is that there is a lot of money and brain power being applied to do just that. The bad news is that passwords, like mice, never completely go away.

Today’s passwordless solutions

There’s steady progress being made on the corporate front. Enterprise-focused identity access management vendors like Okta, Ping Identity, OneLogin, and Cisco all offer password-free access to company-approved sites. You still need at least a password to log in to their services, but once you’re approved, you’re good to go. The downside is that your bank or Netflix account probably isn’t on the company’s list of approved services.

On the consumer side, the most widely used option is OAuth, an open protocol that lets users who are signed into trusted sites such as Facebook, Google, and Apple sign into other services without creating an account or password. OAuth is easy to use and considered pretty secure as long as you’re logged into an authentication server, but it’s not such a cakewalk for website operators, said Zane Bond, director of product management at Keeper Security, which makes a password manager.

OAuth “is probably cryptographically secure, but from a website owner’s perspective, it’s difficult to implement correctly,” he said. “You have to be aware of all the revisions and versions and sometimes the setting guides don’t give you all the information you need. You may be using a secure technology but have misconfigured it.” Which is one reason you don’t see OAuth used very often on the millions of mom-and-pop retail sites that are out there.

The most prominent new entrant in the campaign is Microsoft, which introduced a passwordless option for Microsoft accounts in September. The solution doesn’t remove the need to sign in, however, since you still need Microsoft’s Authenticator app or a handful of other methods. It also only works for Microsoft accounts, at least for now.

And that’s the bigger problem. Beyond OAuth, the market is a jumble of solutions. The lack of a single canonical standard means the people who spend a lot of time online must continue to rely upon an assortment of password managers, authentication apps (I have three), biometric controls, and texted codes to get things done.

New players on the horizon

A bunch of startups is tackling the problem. Magic Labs uses public and private cryptographic key pairs created on the Ethereum blockchain (you don’t want to know any more than that). Secret Double Octopus, which takes the award for the best company name I’ve ever heard, uses technology that was reportedly to protect nuclear launch codes but its product is mainly aimed at enterprises.

Transmit Security recently raised an eye-popping $543 million funding round for a technology that uses biometrics to authenticate users across multiple devices. Beyond Identity has raised over $100 million for a technology that takes advantage of a tamper-resistant enclave called the Trusted Platform Module that’s built into every single computer and smartphone. The module stores a private encryption key that pairs with its public counterpart on sites a person visits.

“Once you have an account, you have the option to go passwordless,” said Jing Gu, senior product marketing manager at Beyond Identity. “You give an email address to us, we send you an email, and that creates the binding.”

The challenge all these companies face is to get website operators to adopt their solutions. And the more players in the market, the less likely it is that anyone will achieve critical mass. “True passwordless security will be really hard to attain just because of the sheer volume of sites,” Bond said. “Finding a way for standards to coexist rather than compete is the way to get there.”

In the meantime, protect yourself. Invest a few bucks in a password manager, observe the 12-character rule, and activate multifactor authentication on all sensitive accounts. It’s a pain, but if you’ve ever had your identity compromised (as I did three years ago) you’ll understand it’s more than worth the trouble.

Next Read This:

• Consumers are done with passwords, ready for more innovative authentication
• What is passwordless authentication?
• The truth about passwordless authentication
• Best password managers of 2021
• Why the future is passwordless
• The problem with ‘complex’ passwords