Disclaimer: I orginally published this article in Oculus Inventa and have reposted it here. You can find the original article at https://oculusinventa.com/2020/09/02/passwords-suck-lets-go-passwordless/
In the 1960s Fernando Corbató was the first person to incorporate password authentication in a computer system. He wanted to secure access to digital files at MIT and it was a perfectly reasonable choice for a pre-internet and digital society.
Fast forward to 2020, there haven't made any radical changes to how we approach authentication. Most modern internet platforms are still authenticating using a username and password-based approach and it's not that difficult to see why Fernando Corbató calls it "kind of a nightmare" himself.
- Data breaches of poorly maintained password databases and poor software engineering practices have become commonplace even for large corporate enterprises
- Password reuse is everywhere, one leaked password gives you the gates to the entire empire
- Users deliberately choose to use short and weak passwords because of the vast numbers of accounts they have to maintain
- 2FA is seen as a nuisance and many users don't bother to enable it
The consequences for poorly built and unmaintained authentication systems have become even higher as we have succumbed to the convenience of the internet. Many of our essential services such as banking and healthcare have been brought online and are at risks of cyberattacks. Fernando Corbató did not have millions of cybercriminals attempt to bypass his 1960 mainframe and he did not certainly consider the internet as a threat vector when he was designing it.
If we want to truly secure our systems, we need to centralize user identity. Ideally, there should be a single source of truth that authenticates users on a variety of different platforms. The purpose of doing this is to minimize the number of credentials a user needs to memorize and simplify the complexity of the authentication systems developers need to build.
I used to believe that centralizing identity was a terrible idea and it still is, but considering the number and passwords the user has today is around 90, it might just be a better idea.
In an ideal circumstance, we would expect that every user would use a unique password for each service and was protected with 2-factor authentication. Developers on the other hand would practice good software engineering techniques following industry standards. Bugs would be patched and software would be updated.
This dream is however far from reality.
The number of Americans who use password managers is around 12% and 86% of all passwords are insecure. The most commonly used passwords in the order of prevalence from the Pwned Password data set are:
Yes, two-factor authentication is an excellent choice for beefing up account security. Microsoft recently revealed that 99.9% of all breached accounts weren't on 2FA, so it's clearly doing something. But the fact is that the vast majority of end-users are simply too lazy to enable it. Cybersecurity company and hardware manufacturer Yubico published a study that indicates around 67% of all users do not use any form of 2FA.
If end-users believe that 2FA is too laborious to set up, it should not be the user's fault if they do not end up choosing to do so. Developers calling end users stupid for not enabling 2FA isn't going to solve any of these problems. Idiot proof systems are fundamentally more secure systems.
Most complaints around 2FA are because of inconvenience. If the majority of users believe that security is worth sacrificing for extra convenience, so be it. Digital platforms should aim to include 2FA as a nice additional feature but they should not expect that the vast majority of users will enable it.
Passwordless OpenID Connect and email links
Currently, integrating OpenID or sending email links is the least complex and most accessible form of passwordless authentication. OpenID is the fancy term to describe what happens whenever you click the sign in with Google or Facebook button. By centralizing identity into an email or third-party account, we offload the responsibility of authentication to the email or third-party provider.
By going passwordless we can:
- Reduce the complexity of authentication systems, thereby reducing the likelihood a bug will cause a large scale security catastrophe; see Dropbox for a good example
- Eliminate password reuse
- Eliminate the risk of weak passwords
That being said, there are valid concerns about the disastrous consequences which can happen if your email or your OpenID account ever gets breached.
Those concerns, while very real, pose a much smaller risk. The most popular OpenID providers, Google and Facebook, and the most popular email services, Gmail and Outlook, all have dedicated security teams, developers that practice robust password storage techniques, and platforms that enforce reasonable password requirements for new accounts. In short, as a developer, I trust Google, Facebook, and Outlook more than I trust myself and the company that I work for.
Reducing password reuse is critical for preventing targeted attacks on an individual scale. A reused password that is obtained during a breach can have disastrous consequences for all the platforms which the user has signed up for.
Why not just use a password manager?
Yes, password managers are handy but they serve the exact same purpose as your OpenID provider or email account. They centralize identity by allowing you to sign in to any one of your accounts using one single master username and password. A breach to your password manager will be seen equivalently as a breach in your Google, Facebook, or Outlook account.
The only difference is that password managers are optional and as I previously stated before, only 12% of users end up deciding to use them. If more websites do make the push and force passwordless authentication to all of their users, they will be enforcing password manager level security to every single user regardless if they actually use one.
Leaving passwords behind
Going passwordless with OpenID or email isn't a radical idea. Medium is one good example of a forward-thinking platform that actually forces password-less authentication. To sign up, you need either a Google, Facebook, or email account.
Tech giants such as Google and Microsoft are also moving away from passwords and have been exploring options to allow you to sign in with your phone or a physical security key.
Google has in the past expressed a large amount of interest in passwordless authentication by experimenting with tools which allow third party developers to integrate authentication using face shape, voice patterns, and typing patterns. Recently, Google's AI focused venture investment fund Gradient Ventures, funded a company developing a typing pattern authentication tools for developers.
A more secure passwordless future
And although biometric and security key based authentication is even more secure compared to email links or OpenID Connect, it is farfetched that the vast majority of users will have access to such technologies. Not all of us have fingerprint scanners on our phones and laptops, but that day is coming quickly.
That being said, I do fear the day that Google and Facebook will force you to sign up for an account using a photo of your face or a scan of your fingerprint when the technology becomes more commonplace.