Passwords have served as a critical element in the work we do here at Compass IT Compliance since our founding over a decade ago. Whether it is educating individuals on the best practices for developing strong passwords, creating a password policy, utilizing automated programs to attempt to crack a password, or scanning the dark web for stolen organizational passwords, the concept of robust passwords has been a cornerstone in our efforts to strengthen the security postures of organizations across the nation. Without multi-factor authentication (MFA) in place, passwords often serve as a single point of vulnerability opening the door to a trough of valuable data and privileges. And sadly enough, far too many individuals and organizations still do not require MFA. Many times, password breaches will occur without a user knowing, and sometimes, by no fault of their own, the organizations that maintain their passwords suffer data breaches.
While MFA has come a long way to address these issues and negate passwords being a single point of vulnerability, it is abundantly clear that we could see tremendous benefit from a world without passwords, both in the sense of security as well as the sense of convenience and not having to remember dozens of unique passwords (because we have all been lectured plenty of times about the risks in reusing passwords). So, it would come as no surprise that numerous organizations have spent years working towards a solution that could replace the need for passwords. This past May, Microsoft, Google, and Apple announced a joint commitment to increase support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium (W3C). A recent Google blog post described the passwordless future as the following:
When you sign into a website or app on your phone, you will simply unlock your phone — your account won’t need a password anymore.
Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account. The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone.
To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer. Even if you lose your phone, your passkeys will securely sync to your new phone from cloud backup, allowing you to pick up right where your old device left off.
There are certainly still some considerations to work out, such as what will happen if your phone is lost or rendered unusable and you cannot access your cloud backup for some reason (circle back to the forgotten/stolen password dilemma). With your phone now being the primary authenticator for your accounts, this could pose a challenge. Even so, it seems that any concerns will be ironed out given the incredible investment being made in this area by the world’s biggest technology companies.
It is now just a matter of time before we see wide scale implementation of this technology. Last September, Microsoft announced that its users could go fully password-less to access services like Windows, Xbox, and Microsoft 365. At Apple’s Worldwide Developer Conference (WWDC 2022) last month, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. GitHub’s CEO recently announced he wants the company to go passwordless by 2025. These are just a few of the countless headlines regarding the world’s imminent shift to a passwordless future. It will take some time after widespread adoption of this technology before you see it becoming a requirement in the various frameworks and regulations that govern information technology and data security. For those who are maintaining a password manager with dozens (or even hundreds) of unique passwords, the good news is we are now closer than ever to ditching those frustrating passwords once and for all!