At a glance
Passwords are an essential line of defence against cybercrime but getting them right – and remembering them – is a nuisance.
Furthermore, passwords are not entirely secure, with research from the World Economic Forum finding that four out of five global data breaches are enabled by weak or stolen passwords.
Passwordless access technology is on the rise and could help businesses make devices, websites and applications more secure, security experts and network data say.
Tech giants go passwordless
Technology companies, including Apple, Microsoft and Google, are increasingly offering passwordless access for their devices and applications.
Microsoft started offering passwordless access to its applications in 2021. Users can completely remove the password from their Microsoft account, deploying any of several commonly used authentication methods instead.
These include the Microsoft Authenticator app, which users download onto their smartphones. It provides them with a one-time passcode to use instead of an enduring password.
As a second step, the app sends a “push approval” to the user’s smartphone, requiring them to confirm that they are trying to log into their Microsoft account.
Another password alternative is Windows Hello, which provides access to Windows 11 devices using a PIN, facial recognition or fingerprint. There is also the option to use a security key – a device that produces a one-time code to log in – or to have verification codes sent to the user’s phone or email.
The perks of going passwordless
Before choosing to go passwordless, organisations may introduce new policies to try to make passwords stronger.
According to Nigel Phair, enterprise director with the Institute for Cyber Security at UNSW Canberra, these policies can sometimes actually make organisations weaker.
For instance, some organisations require staff to regularly change their passwords. While many companies have protocols to prevent password “weakening”, some allow staff to cut corners.
For instance, their password for March might end in the number 3, and when they have to change the password in April, they’ll use the same password, but change the last number to a 4, Phair says.
Other companies have opted out of password-changing requirements in favour of getting staff to use a long password of 25 characters, phrased as a sentence, that they keep secure.
“People invariably have weak passwords, and people invariably use their passwords across multiple log-ins,” Phair says.
Another vulnerability is the huge number of unique passwords users need to remember. Although many people get around the problem with a password manager – a software application designed to store and manage online credentials – this doesn’t eliminate the risk of passwords being guessed, hacked or stolen.
Craig McDonald, CEO and founder of Australian email security company MailGuard, says one of the primary benefits of passwordless access is improved security.
“By eliminating the need for passwords, you also remove one of the most common attack vectors for cybercriminals,” he says.
“Access methods like biometrics or cryptographic keys are unique to each individual, and are therefore more difficult to replicate, whereas passwords can easily be guessed, cracked through brute force attacks, or stolen in phishing scams or data breaches,” McDonald explains.
McDonald advises businesses to use passwordless access where possible, because it will provide them with a higher level of security and reduce the likelihood of successful attacks.
The pitfalls of going passwordless
Going passwordless could solve a lot of challenges for businesses, but it is easier said than done, according to Paul Haskell-Dowland, professor of cybersecurity practice and associate dean for computing and security at Edith Cowan University.
Many apps and websites that offer passwordless access offer the option of using passwords as well. If the password is hacked, then a cybercriminal could potentially gain access.
Some sites and apps allow users to turn off password access, which would make them safer, but many people simply don’t get around to it. “At the moment, the default for almost every site or service that you ever encounter will be to use a password,” Haskell-Downland says.
Additionally, a lot of sites and apps have the option for people to say they don’t have their device, in which case a code might be emailed to them, and if their email address and password are compromised, a hacker will be able to gain access.
There is also the sheer number of websites we use, creating what Haskell-Dowland calls “the long-tail of security”.
“I’m sure like me, you go to many websites where you still have to put in a password. And I’ve got some 500 or so passwords stored in my password manager. The vast majority of sites that I go to simply don’t offer multi-factor authentication.”
Where to from here?
While cyber security is always evolving, McDonald says the truth is that many vulnerabilities remain in this area.
“It’s a fast-moving space, and you can be certain that the criminals behinds these attacks will continue to adapt their approaches accordingly to exploit anything new,” he says.
Additionally, some passwordless authentication methods may require the installation of special software or apps, such as the Microsoft Authenticator, which could be vulnerable to malware.
Octo malware, for instance, a banking trojan virus targeting Android users, has remote access capabilities that render authenticator apps redundant, McDonald says.
“Once a device is infected with Octo, every action the victim makes is tracked by a powerful keylogger, including PINs entered. Victims are often completely unaware that they’ve been compromised, making it difficult to take swift action to mitigate the damage.”
While the advent of passwordless technology may change the way we log into our online accounts forever, it clearly comes with its own set of risks and cyber security considerations. Whatever your method of sign-in, it pays to be vigilant.