Going down history lane, one would discover that passwords were never meant to provide high-level security. The first computer password was introduced by Fernando Corbató and served to meter access to a common mainframe (the Compatible Time-Sharing System) shared by researchers at MIT.

Apparently, the researchers who used the system weren’t much concerned about security. And the CTSS is probably also the first computer system to suffer a data breach.

The very simplicity of passwords made them pretty hackable, more so that they are just an insecure single layer. And that’s evident in the number of data breaches involving compromised credentials. At the beginning of this year, the World Economic Forum predicted that 80% of cyber attacks would be password-related.

Never mind the cost and effort that go into managing passwords. For example, LastPass found that IT teams spend an average of 5 hours weekly in 2020, managing users’ passwords. That’s more than half an entire workday, which could be spent on more productive activity.

Besides the inherent risks of depending on them, passwords are not convenient. Certainly not when the average person has to remember 100 passwords, according to a NordPass study. An expert concludes thus: we now partly understand why people use easy-to-guess passwords — they simply have too many to remember. So, it’s hardly surprising that people use either very simple passwords or have a few and reuse them for all accounts.

The era of signing in using just a username and password for access authentication is gradually fading away. And the future of cybersecurity authentication is being fueled by disenchantment about passwords. The key priorities for upcoming cybersecurity authentication systems are security, trust, management and costs, and user experience.

Security

Passwords are not secure, at least, not anymore. The development of new authentication models would focus on greater protection. One of the risks of using passwords is the case of stolen credentials. As mentioned above, about 80% of cyber-attacks are password-related, mostly involving weak or stolen credentials.

By eliminating passwords and replacing them with more secure forms of authentication, we can solve a great deal of the world’s cybersecurity problems. After all, there would no longer be passwords for hackers to steal.

Passwordless alternatives such as biometrics leverage AI and machine learning to increase the sophistication of defenses. Multi-factor authentication adds an extra layer of protection. Biometrics and hardware tokens move authentication to the user side so that organizations don’t have to collect personal information, which could be breached or intercepted.

No one has to rely on just passwords anymore as we now have more secure alternatives to choose from.

Trust

Modern replacements of passwords such as Multi-Factor Authentication and Risk-based Authentication are building trust into authentication. MFA focuses on adding an extra layer of protection to passwords. This is more secure but less convenient.

On the other hand, RBA determines trust through a login context. The system collects additional contextual information to determine if a login attempt is risky or not, making access more restrictive the higher the risks are.

Establishing trust is also the idea behind continuous authentication using behavioral analytics. That is, rather than granting once-for-all access, the system continues to work in the background, analyzing the pattern of actions to determine if there is any compromise.

The landscape of cyber fraud has changed and even a legitimate login may turn malicious. Continuous authentication provides real-time security and reduces the risks of session hijacks.

Management and Costs

One of the benefits of a passwordless authentication system is that it allows companies to manage passwords better due to greater compliance on the part of a user. The difficulty of maintaining passwords makes users default to poor security practices such as reusing passwords or choosing passwords that are too simple.

Apparently, there are too many rules involved in password protection. That extends to other knowledge-based authentication examples including PINs.

Companies should consider transitioning to a passwordless system due to lower costs and easier management. Even if you use an MSSP, which stands for Managed Security Service Provider, to oversee your organization’s security, you can still eliminate costs that arise from the use of passwords.

According to Yubico’s 2019 Password report, employees spend about 11 hours yearly entering and/or resetting passwords. At that rate, on average, a company of 15,000 employees would lose $5.2 million in labor and productivity annually.

User Experience

Convenience has become a key differentiator for modern authentication systems. Authentication systems that use biometrics (including behavioral biometrics), single sign-on, federated identity management, etc. are among the most convenient security systems.

All three examples don’t require users to remember several passwords at once. For biometrics, users don’t even need a password, unless it features as part of MFA.

Smartphone manufacturers have quickly transitioned to biometrics login using fingerprints and Face ID in order to make users login faster and more easily to their devices. Likewise, companies such as Google, Facebook, and Apple are champions of Single Sign-on (SSO).

However, SSO should be approached with caution even though it is indeed more convenient. Like a password manager, it creates a single point of failure and widens the attack surface.

Conclusion: The Rise of Passwordless Authentication

From MFA to SSO and hardware tokens, the world has increasingly tended towards less reliance on passwords. The ultimate goal is to make authentication passwordless, yet far more protected.

According to the WEF, “passwordless authentication does not mean removing all security barriers to our digitalized society. It means harnessing tools such as artificial intelligence and machine learning to save users time and save the company money.”

In a LastPass survey, 92% of respondents claimed that delivering a passwordless experience for end-users is the future for their organization. The next generation of authentication is one that combines high-level protection with a better user experience.

Passwordless authentication models that are already in use that combine both features include biometrics authentication (face, iris, fingerprint, palm print, voice, etc.), behavioral biometrics (analyzing behavioral attributes for continuous authentication), hardware keys (OTP, token devices, NFC, Bluetooth, etc.), as well as QR code authentication.