It’s widely accepted that passwords are a flawed means of security. People use weak credentials; they can be forgotten, guessed, or exposed in breaches and they’re often reused across services.
Big tech firms including Microsoft, Apple and Google have been moving towards a passwordless future for several years, with solutions such as security keys and more recently, passkeys, starting to take off as part of multi-factor authentication (MFA) setups.
The FIDO Alliance – which most big tech players are members of – is pushing hard for the demise of the password. But what exactly does “the end of the password” mean, in practical terms?
The idea is to eliminate dependence on passwords as a “primary mechanism for user authentication”, says Andrew Shikiar, executive director and CMO at the FIDO Alliance. In practical terms, this means the end of using knowledge-based “secrets” as the foundation to create, sign in, and recover online accounts, he says.
“Passwords simply aren’t fit for purpose to protect today’s connected economy. They are too burdensome for humans to manage effectively and too easy for attackers to leverage to hack into corporate networks.”
The end of passwords: Strong alternatives
There are multiple systems that could help usher in the end of passwords, but no one solution is perfect. For example, biometrics can be secure but come with their own downsides, says Michael Jenkins, CTO at ThreatLocker. “Windows uses facial recognition, which can unlock too quickly, so you might walk away and leave your laptop exposed while it’s still unlocked.”
Fingerprint systems are a lot harder to get around, he says. “But the downside is, it may ask for your PIN number instead. These are a lot easier to guess.”
Passkeys, meanwhile, are “a great idea”, but they still need to be implemented across every website and application, says Darren James, a senior product manager at Specops Software. In addition, they can’t be used for initial login to a device and they aren’t very portable unless you store them on a token – which can be lost, broken, or stolen.
Handling passkeys is very different from passwords, says Mark Stockley, senior threat researcher at Malwarebytes. “Both users and support staff are likely to be less familiar with them, which is a speed bump to adoption.”
Yet Shikiar argues that implementing passkeys for MFA is fairly simple and won’t require most businesses to completely overall their pre-existing security processes. This is because the core functionality is built into the majority of end-user computing devices, enterprise software stacks, and identity management services, he says.
“Many organizations are already using identity management solutions such as Microsoft Entra ID, which already has support for these solutions built-in,” concurs Mark Lomas, technical architect at Probrand.
However, the end of passwords will be easier in some sectors and businesses than in others. It is important to recognize that certain sectors could be forced to continue to use passwords, says Stewart Parkin, global CTO at Assured Data Protection. “Organizations with legacy systems may be challenged in integrating new technologies, while regulatory requirements in certain industries can create the need to continue password-based authentication.”
Software not tied to modern authentication solutions won't be able to take advantage of modern passwordless solutions, or be linked to Entra ID, says Lomas. “It's typically legacy software that will be unable to make the switch. In this case, you'll need to find other routes to add protection, such as hosting the application in a virtual desktop environment like Azure Virtual Desktop and ensuring that access is protected by a passwordless login solution.”
The end of passwords: A future-proof successor
While there are multiple alternatives to passwords, passkeys are the only successor that “has the same availability and ubiquity”, says Shikiar. Therefore, they are the only currently available means to fully replace passwords, he says.
“Passkeys are built on open standards created within the FIDO Alliance and based on tried and tested cryptographic protocols,” says Shikiar. In addition, the technology is supported by all big tech and is device and operating system-agnostic, he says.
Passkeys are “far and away the best password alternative for online authentication”, agrees Stockley. “They are secure, easy to use and the cost of implementation is likely to get lower as they become more widely supported.”
But it’s important to realize that as we approach the end of passwords, replacements will have to compete with passwords which are themselves universally understood and very cheap to implement. “That's really hard,” says Stockley. “They're an authentication standard that dates from an era when managing low computing resources was the priority. Users understand them, support teams know how to support them and developers know how to implement them.”
Discover a powerful technology platform that empowers Managed Services Providers
DOWNLOAD NOW
Taking this into account, while some organizations may eventually go passwordless altogether, for now, many are supplementing passwords with MFA, says Steven Furnell, IEEE senior member and professor of cyber security at the University of Nottingham.
In the future, he predicts a mixed authentication setup will be the main choice for many businesses. “Some systems and services could use traditional passwords, some MFA, and some passwordless.”
Shikiar says there is “no need for any company to hang onto passwords”, but he does concede they will need to be “phased out over time”. Initially, companies may keep them to help with account recovery until other possession-based factors are established, says Shikiar. If you do decide to make further moves away from passwords, the transition will depend on the organization, says Shikiar. “Many will have disparate legacy systems to grapple with, while for others it is more straightforward.”
When taking the plunge, Shikiar recommends a prioritization exercise. “Discover those systems that can migrate most easily and are most urgently in need of higher security.”
Transitioning from a password-centric security model requires a systematic approach, says Parkin. Organizations should begin with a comprehensive assessment for risk management, followed by pilot implementations in less critical areas, he says. “The integration of multi-factor authentication as an interim step can pave the way for a more seamless transition.”
The cyber security skills shortage: What skills are missing?
Businesses can also take a “privileged user” approach by identifying employees with access to sensitive applications, and examining who is the most vulnerable to attacks, says Shikiar. “Migrate these users to phishing-resistant authentication as soon as possible and from there, you can start to work your way across the wider employee base.”
