The Life and Death of Passwords: The Tipping Point in Passwordless Adoption
Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.
Today: Christi Volny, a senior software engineer for the Duo Single Sign-On platform at Cisco Security, discusses the breaking point for passwords, the tipping point for passwordless, and she trusts the math.
How passwordless solves for password problems
Chrysta: What does passwordless mean, and how does that differ from traditional password-based authentication?
Christi: Passwordless authentication specifically is any primary factor authentication that is not requiring the user to remember a passphrase or password. That obviously differs from password authentication, in which the user has to remember some secret and that’s what grants them access to the system.
The primary difference between password and passwordless authentication is that password authentication is based on the user remembering some secret. And then that’s something that they know, and that’s what grants them access to the system. As we’ve taken that system, we’ve brought it online and made it computerized, that doesn’t really keep up with the ability of computers to try to break into those systems.
Tell me a little bit about the problems with passwords and how passwordless solves for them.
Passwords rely on something that the user knows and that worked really well in a physical space. So to be able to enter a room, knowing the passphrase to enter that.
As soon as we digitize that, how users interact with these systems is through a computer. And so these are all machine to machine communications, ultimately. By enabling that, what we’ve done is allowed machines to be able to impersonate humans and try to crack passwords. And they can do that much faster than ever previously done in history, which means that we’ve had to increase our password complexity, which pushes past the limits of what humans can actually remember, a meaningful passphrase.
Passwordless authentication relies on other mechanisms than something that the user has to remember, but also keeps in mind that these online cracks are out there and active. So it’s relying on usually math, hard enough math that’s going to prevent a machine from being able to guess this guess the solution.
Password crackers have existed for decades now. Why are we reaching a breaking point in passwords now? Why does it seem to be kind of past a tipping point that a good enough solution is no longer good enough?
Although password cracking has existed for decades prior, Moore’s Law being as it is, there has been an exponential increase year over year of the amount of password guesses or attempts that can be tried. Combine this with the fact that with the internet, all of our systems are connected now, and we’re having distributed online attacks.
The combination of being able to make more guesses per second and then from different endpoints enables crackers to bypass most of the security and mitigations that we’ve put in place to shore up password-based authentication.
Making passwordless technology ubiquitous
Chrysta: Consumers are already starting to unlock their phones, computers and accounts with their faces and fingerprints. How do you think things will be different in 5 to 10 years from the average user’s perspective? Will we all still be dealing with hundreds of passwords like we do now?
Christi: Now that we have these smarter devices in our pockets that have fingerprint and face unlock available to us, we’re starting to use those more and more in our day-to-day life [...] That’s pushed a lot of technologies into individual users’ hands that allow them to start relying on passwordless authentication and to be able to stop using as many passwords.
I think over the next few years, we’re going to start seeing this developed further into this idea of our devices having awareness of their context or position relative to us, our users, whether we’re interacting with it.
If we leave our phone down for a moment on the table, it should probably have a different security posture than if it’s been in my hand for the last five minutes. I think that authentication and continued authorization is going to start taking those sort of metrics into account, as they make determinations of whether a user needs to be re-prompted or not.
What are the biggest hurdles that are slowing wider adoption and use of these methods?
The biggest hurdles slowing the adoption of passwordless and adaptive authentication is predominantly access to the equipment. The second one is a mental model of how this works.
The first [hurdle] being access is a problem. We still have a significant part of the world that doesn’t have access to smartphones. The idea of asking users to carry around a key fob that contains security tokens is still something that’s difficult and really only prevalent in the enterprise space.
Much of the mitigation around privacy and biometric data is on keeping that information localized to the endpoint. Specifically, when I fingerprint into my phone, that information about my fingerprint does not leave the phone. That is simply just the key to unlock a local secure storage that has other authentication factors that are used for cloud services.
Do you see a tipping point for ubiquity in passwordless? What would be the trigger that moves this from being more of an enterprise or large organization solution, to something that the everyday person uses routinely?
If we look at the history of multi-factor authentication for cloud services, what we see is that as we’ve moved towards more of a single sign-on model or social login…you’ll start to see that services that previously would’ve been difficult to implement passwordless or multi-factor or some other non-username and password-based authentication can now rely on third-party authenticators that can enable them to adopt passwordless multi-factor. So in the same way that switching to logging in with your Twitter or Google account allowed you to introduce MFA into your login process, switching to services that provide passwordless single sign-on will also empower adoption for more services.
What are some of the other technological milestones that are enabling this, taking passwordless from an aspirational method to an implementable one?
Some of the technological milestones that have enabled us to adopt passwordless authentication more widely have been standardization. What started in 2008 as mobile transactions with your fingerprint later were ratified into specs, such as FIDO and FIDO2. And this gives device vendors, service providers, identity providers, a model to be able to communicate between one another.
So there’s an element, not just of technological requirements, but developing a common language or a common agreed set of standards to build around?
I think like any other time, humans need to talk to other humans or systems to other systems. We need to develop a common framework and language to be able to communicate. And specifications are the ways that we do that in computer technology.
The future of passwordless
Chrysta: What excites you about the development of passwordless technology or what are you most looking forward to?
Christi: It’s going to make my life easier, as a system designer and developer but also as an end user. All of us are still using these services. I still have to remember a few dozen passwords. I use a password manager because not everything’s passwordless yet, but that’s really the big win there.
I’m interested in building a safer internet, and this is one of the easy wins that we can accomplish that through. As we know from [the Verizon 2022 Data Breach Investigations Report], in over 80% of all computer breaches, passwords are responsible for part of it. And so if we can attack that low-hanging fruit and replace it with something more robust, that’s a big win for all of us.
What advice would you give the average user who’s concerned about the security of their passwords today while they wait for more widespread passwordless availability? What are some of the ways that you would recommend the average user mitigates the risk of passwords?
So while we’re waiting for ubiquitous passwordless to be available, what options are available for end users today? I would recommend to everyone that they use a password manager. That you start using longer, more complicated passwords. That your password manager is protected either by doing something local on your phone with passwordless, maybe a passphrase that’s stored in the local keychain that you don’t have to remember. It can be intractably hard too.
Is there anything about passwordless that we haven’t touched on today, but you would want to make sure that the average person knows?
One takeaway that I would really want folks to understand about passwordless is that the sort of math and technology that’s going into this, that powers these systems, is no different than what we’re using right now to protect our access to the internet. The sort of cryptography that goes into performing these public key authentications and then storing the private segment on a device. This is the same sort of technology that’s been protecting our web browsers for the last decade. It’s the same technology that protects banks communicating with other banks.
So I trust the math.
Next in our extended interview series: Jayson E. Street, a self-described “hacker-helper-human,” contemplates bad password advice, investing in human behavior, and why social engineering continues to work.