For many of us, passwords have become a cumbersome inconvenience, a necessary evil to protect our private data from falling into the wrong hands. However, with the growing number of phishing attacks and the need for complex passwords, this protection has become a labyrinthine system of text message codes, secret questions, and other tricks to verify identity.
According to a recent ExpressVPN survey, the average person spends three minutes and 46 seconds resetting a password each time they forget it. The same survey found that about half of all Americans surfing the web reset their passwords at least once a month, with similar findings in France and the UK. However, Germans seem to forget their passwords a tad less often, with only 35% needing to reset them at least once a month.
But the days of passwords may soon be numbered as biometrics become a more secure and user-friendly alternative.
Leading tech companies, including Apple, Google, and Microsoft, have committed to phasing out passwords through the FIDO Alliance's passwordless system. This initiative, first started in 2013 by various technology companies with the goal of reducing the world's reliance on passwords, marks a significant step towards a more secure and convenient way of accessing online accounts. But is this approach without its own faults?
The Problem with Passwords
Passwords are often hard to manage, with many users opting for the same sequence across multiple accounts. A study found that nearly half of all users reuse the same password for different accounts with minor variations, making it easier for cybercriminals to gain access to multiple accounts if they get hold of just one password. That is a huge vulnerability in the age of data breaches and password leaks, as a hacked database on a single platform could expose your sensitive personal information across other online properties.
This problem is compounded by the fact that many users choose passwords based on personal information, such as their birthdays or their pets' names, making it even easier for cybercriminals to discover. Indeed, a quarter of Americans use passwords like "password," "Qwerty," and "123456".
While password managers and two-factor authentication offer some welcome improvements, most people's current experience of authenticating on the open web is annoying at best and outright dangerous due to the many security vulnerabilities. That is why there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.
The tech industry is moving towards biometrics as a safer and more convenient way to access online profiles. If you have a smartphone with a fingerprint sensor or facial recognition technology, you already use a biometric system. The FIDO passwordless identification standards are already in use in billions of browsers worldwide, according to Andrew Shikiar, Executive Director of the FIDO Alliance.
Biometrics offers the perfect combination of convenience and security. It is based on the three basic principles of security: something you know (a password), something you have (a card or mobile), and something you are (a fingerprint or iris). With biometrics, accessing a web page or application will be as simple as unlocking your smartphone. A secondary trusted device acts as a "key" to provide an extra layer of security, making two-factor verification obsolete.
With the new announcement, users across the FIDO platform have two new capabilities for more seamless and secure passwordless sign-ins:
- Automatic access to their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without re-enrolling every account.
- The possibility of using FIDO authentication on their mobile device to sign in to an app or website on another nearby device, such as a desktop computer or tablet, regardless of the OS platform or browser they are running.
These new features are expected to come online across Apple, Google, and Microsoft products over the course of 2023.
However, the next challenge will be ensuring the safe storage of biometric data, warns José María Avalos, an expert in cybersecurity and director at BeDisruptive, in an interview with EL PAíS.
Although biometric security is more robust and difficult to crack than other authentication methods, such as username-password combinations, it also leaves users more vulnerable if a data breach exposes their biometric credentials. You can't change your fingerprint or iris, so once a hacker gets ahold of such information, your biometric login credentials could be vulnerable for life. Despite this, the future of passwords is uncertain as the tech industry continues to embrace biometrics.
The passwordless journey won't happen overnight, but the end of passwords is imminent. Shikiar explains that the shift from passwords to biometrics will be gradual, but the user experience will improve. With biometrics, accessing online accounts will be as simple and secure as unlocking your smartphone.