Did you know that the first digital password was invented in 1961? It was created by MIT computer science professor Fernando Corbato simply to allow multiple users to share the same computer. Over the years, passwords have become an integral part of our digital lives, and we use them almost every day.
Passwords and usernames have been the standard method of authentication for many years. But these days, they are no longer enough to protect our sensitive information from cyberattacks. Passwords can be guessed, phished or otherwise stolen.
In this article, we will explore why a passwordless and usernameless future is the next logical step in authentication and how it can be achieved.
Usernameless authentication allows users to access systems and applications without needing a username. Less to remember means fewer opportunities for user error, making life more convenient while boosting security.
Passwordless authentication, on the other hand, skips passwords altogether, opting for alternative secure methods such as mobile push notifications, biometrics, or even QR codes. Once you’ve verified your identity via one of these methods, you’re in. It’s like skipping the line at a popular restaurant — feels good and is efficient.
Why We Need a Usernameless and Passwordless Future
A credential-less future that is both usernameless and passwordless means that users would not need to remember any passwords or usernames. Instead, their identity would be verified through other means, such as biometrics or multi-factor authentication.
This approach has several advantages, including:
- Increased Security: A usernameless and passwordless future would make it much harder for hackers to gain unauthorised access to user accounts. Biometrics and multi-factor authentication provide an extra layer of security that can significantly reduce the risk of cyberattacks.
- Enhanced Convenience: Remembering multiple usernames and passwords can be challenging, especially for users with multiple online accounts. Eliminating the need for usernames and passwords would make the authentication process much more convenient and user-friendly.
- Cost-Effective: Password management systems can be costly for businesses, especially when dealing with a large number of employees. A usernameless and passwordless future would reduce the need for expensive password management systems, making it more cost-effective for businesses to manage their authentication processes.
If a future without usernames and passwords sounds like science fiction, you’re in for a treat: it’s closer than you think, and it’s the direction we should be heading. But let’s not stop at just imagining. Let’s also talk about how we transition from here to there.
To better understand the journey toward a more secure future, let’s explore the Consumer Authentication Strength Maturity Model, a framework that can help us evaluate the robustness of various authentication methods.
The Consumer Authentication Strength Maturity Model
Daniel Miessler’s CASMM (Consumer Authentication Strength Maturity Model) serves as a roadmap for internet users to gauge and elevate their authentication practices. It’s not just a measure of your current security posture; it’s a guide to better habits.
By setting a new standard for what’s considered “secure,” CASMM can shift the collective mindset toward more robust authentication methods.
8 – Passwordless
Imagine never having to remember a password again. With Passwordless authentication, your second factor of authentication (2FA) comes from a physical token or your device’s built-in trust centre.
Vulnerable to: Hardware compromise and force
Examples: WebAuthN, FIDO2
7 – App-Based Codeless 2FA
No more scrambling for codes. In addition to managed passwords, this level uses an app that simply asks you to approve or deny an authentication attempt.
Vulnerable to: Malware and force
Examples: Some Microsoft Authenticators
6 – App-Based 2FA Codes
In addition to managed passwords, a dedicated app generates Multi-Factor Authentication (MFA) codes for you, adding an extra layer of security.
Vulnerable to: Phishing and malware
Examples: Authenticator, Authy
5 – SMS-based 2FA Codes
In addition to managed passwords, MFA codes are also sent directly to your mobile phone via text message.
Vulnerable to: Phishing and sim-swapping
Examples: Any SMS-based authentication
4 – Passwords Manager
You’re not just using unique passwords; you’re storing them in a digital vault, encrypted and secure.
Vulnerable to: Account reset or takeover
Examples: 1Password, LastPass
3 – Quality Passwords
Your passwords are not just unique, but they are long, random, and they include special characters
Vulnerable to: Password dumps or cracking
2 – Unique Passwords
Your passwords are unique but could be stronger. They might be too short or contain easily guessable information.
Vulnerable to: Live password guessing
Examples: password123!, qwerty123
1 – Shared Passwords
You’re using the same password across multiple platforms. It’s like having one key for every lock in your life.
Vulnerable to: Credential stuffing
Examples: Using the same password for personal email, work email, and online banking.
Passwordless authentication sits at the pinnacle of CASMM, offering the least vulnerability exposure.
On the other hand, SMS-based 2FA sits at a maturity level of 5, susceptible to a range of attacks like phishing and SIM-swapping. The goal isn’t just to avoid bad habits; it’s to adopt methods that are as frictionless as they are secure.
After all, what’s the point of a lock if it’s too complicated to use? So, as we move toward a passwordless future, remember: it’s not just about eliminating passwords but about making security effortless and robust.
Now that we’ve explored the landscape of authentication methods, let’s take a closer look at one of the emerging technologies that align well with the highest levels of CASMM: Passkeys.
What Are Passkeys?
Passkeys are a modern and secure authentication mechanism designed to replace traditional passwords. They allow users to sign in to websites and apps without having to remember and manage complex passwords.
A passkey is a unique digital credential that is tied to a user account and a specific website or application.
Unlike passwords, which can be easily forgotten or hacked, passkeys provide robust protection against phishing attacks. A passkey can be generated using voice, a biometric sensor, such as a fingerprint, iris scan, or facial recognition, a PIN, or a pattern, making them more secure than traditional passwords.
When a user wants to sign into a website or app that uses passkeys, their browser or operating system will prompt them to select the correct passkey. The process is similar to how saved passwords work today, but with an added layer of security. To ensure that only the rightful owner can access the passkey, the system may require the user to unlock their device using a biometric sensor, a PIN, or a pattern.
Passkeys provide a passwordless experience across different browsers and operating systems, making them a convenient and secure authentication mechanism. They can be stored securely in the cloud with the user’s other data, which can be restored to a new device if necessary.
The Limitations of Passkeys
They may be a step forward in authentication, but they still require users to remember a unique passkey for each account, which can be challenging.
Furthermore, while they are more secure than traditional passwords, they are not entirely foolproof. A hacker can still gain access to a user’s passkey if they compromise the user’s device.
Alternative Authentication Methods
Several alternative authentication methods can be used to achieve a usernameless and passwordless future, including:
- Biometrics. Biometric authentication, such as facial recognition or fingerprint scanning, can be used to identify individuals accurately. Biometric data is unique to each individual and cannot be easily replicated, making it an excellent authentication method.
- Multi-Factor Authentication. Multi-factor authentication requires users to provide two or more forms of verification to gain access to their accounts. This approach adds an extra layer of security to the authentication process.
- Intelligent Authentication Methods. Advances in artificial intelligence and machine learning are making it possible to develop more sophisticated and intelligent authentication methods that can learn from a user’s behavior and preferences. For example, location-based authentication or behavioral biometrics.
Conclusion
Mark Belfanti
Head of Cyber Security
Mark has been trusted with navigating the most complex of organisations, from ensuring the NBN is cybersecure, to managing the cybersecurity contract of telecoms partnerships at Westpac. Mark has also worked with ASIC, AMP and many others.
