Man using laptop computer and holding cyber security lock icons

We’re a Long Way From a Passwordless Reality

Today, most users must remember two things to authenticate themselves on their online accounts—a username and a password. Security conscious end-users opt for multifactor authentication (MFA), which requires more proof of identity beyond the typical credentials.

Standard authentication factors fall under three categories: something the user knows, something they have, or something they are. Examples include user biometrics, one-time passcodes (OTP), and answers to secret questions. USB security keys and authentication apps are other authentication tools.

For more end-users, that’s too many things to remember and too much activity just to access a site. It’s tedious, frustrating, and time-consuming which can lead to bad password habits, like password reuse.

The dream of a passwordless future

Apple, Google, and Microsoft plan a passwordless future with simple user authentication and access to apps and web sites. Someday end-users may need only their device and their face, fingerprint, or PIN to log into all websites. No more remembering or entering long strings of random characters to gain access. No more password managers, and no more password reuse, sharing, or writing passwords down—sounds great, right?

Passwordless technology leverages the user’s device as an authentication factor as they surf to a site and select their account. Then they can prove their identity using a face or fingerprint scan or a simple PIN to log in, just like they do when unlocking their device.

There is nothing to remember unless users choose the PIN option, which can typically be anything they like. And depending on the site’s security policies, they may not have to use MFA.

In a passwordless age, users could enjoy the freedom of knowing that no one can steal or guess a password and log in to their accounts. Criminal hackers would have to have the user’s device and biometrics or PIN to log in to their account. Phishing and brute force attacks using passwords would end. Criminals couldn’t breach password databases because they would no longer exist.  Plus, end-users could save time and avoid the headaches of managing and remembering passwords and they wouldn’t have to change their passwords ever again.

Passwordless technology would work on all of a user’s devices. The user would use a cloud account, such as iCloud, to store their passwordless credentials for use across devices they own. Passwordless technology doesn’t support authentication on devices the user doesn’t own or control.

Unfortunately, a passwordless reality isn’t here quite yet

A passwordless future sounds fantastic, but passwords will remain a backup authentication method until passwordless technologies mature. Few websites are currently compatible with passwordless authentication. The majority of websites will need to continue to store passwords because decades will pass before every user has the hardware and software they need to use passwordless authentication.

Even in the Windows-advertised world of passwordless setup passwords still matter, particularly as a backup method. The latest Windows release breaks the Windows Hello biometrics and PIN setup that users already count on for passwordless authentication.

Last September, Microsoft said commercial users of Microsoft apps and services, such as Outlook, OneDrive,  and Microsoft Family Safety, could remove the password from their Microsoft accounts entirely. But, Windows 11 release version 22H2 breaks the Windows Hello authentication technology.

Windows users can experience Windows Hello sign-on failures with face recognition, fingerprints, and PINs. The Windows 11 bug affects users who set up Windows Hello before installing Windows 11 2022 update to 22H2.

Whenever Windows Hello fails, the Windows 11 system reverts to user passwords, using either the online passwords for their Microsoft accounts connected to their devices or the offline passwords on their Windows machines. So, users who have counted on Windows Hello for years must hunt or reset their passwords and use them again.

Passwordless advancements in biometrics and PIN codes have come a long way, but if end-users use PINs with Windows Hello, including Windows Hello for Business, and the PIN stops working, or they forget it, they must use their password to log in.

Securing your password policy while passwords are still around

For better or worse, passwords aren’t going away anytime soon. Passwords are the most reliable and widely-used authentication mechanism for online resources to date.

As long as passwords are active, criminal hackers will use them to access organizations. Organizations need solid password policies to safeguard Active Directory against breached passwords to prevent hacker access.

Luckily, the password doesn’t have to be such a weak point of your IT security infrastructure. Specops Password Policy with Breached Password Protection blocks over 3 billion breached passwords, including passwords on breach lists from the dark web and passwords in use in current attacks. Plus, Specops Password Policy helps users create stronger passwords in Active Directory with dynamic, informative client feedback. This Active Directory software extends the functionality of Group Policy and simplifies the management of fine-grained password policies.

Until a passwordless future becomes a reality you can decrease the volatility of passwords in your Active Directory with the help of Specops Password Policy.