Nearly 20 years ago, Bill Gates told the RSA Conference that passwords would soon be dead. Today, it's clear that the wider world won't be going passwordless anytime soon, despite recent Gartner forecasts that half of workforce logins and a fifth of consumer logins will be passwordless by 2025. For the general public, the alternatives to passwords are just too difficult to set up and use too many competing standards.
Things are a bit brighter on the workplace side, although as Gartner observed, "Passwordless authentication is an aspiration, not a destination." If your organization is willing to be patient and persistent, it can become passwordless over the course of (at least) several months. Microsoft is a leader in this field and has formulated a "glide path" that any company can follow.
The problems with passwordless
Passwords are often dumb, often repeated and just too easy to steal. They're clearly a security risk and the information-security community is right to want to move on to something else.
Yet passwords are still holding on because they're easy to use and everyone understands how they work. Meanwhile, most forms of passwordless authentication are difficult to set up, and with a dozen different methods available, there's no point for end users to make the switch until one or two formats emerge as the dominant passwordless standards.
Gartner's Ant Allan wrote in the company's guide to passwordless authentication that "identity and access management (IAM) leaders seeking to eliminate passwords are often uncertain of what passwordless authentication should actually look like" and are discouraged by "the lack of a universal approach." The same can be said of consumers.
As users, we can choose among eye scans, face scans, fingerprint scans, push notifications, authenticator apps, magic links, SMS notifications, QR codes, pattern unlocks, USB security keys, Bluetooth security keys, and phone-based security keys. Under the hood, authentication programs use WebAuthn, FIDO, FIDO2, Windows Hello, Touch ID, Face ID, time-based one-time passwords (TOTP) and many more technologies.
Many of these methods are also used for two-factor/multi-factor authentication (2FA/MFA), and the pitiful uptake statistics for 2FA don't bode well for passwordless. Twitter reported that as of December 2021, only 2.6% of its active accounts had 2FA enabled, 75% of which used SMS notifications. Google has had more success with its own accounts, but only because it automatically enrolls smartphones as a second factor — without eliminating passwords.
For consumers, anything other than the PIN or face/fingerprint recognition that unlocks smartphone screens seems like a huge pain in the posterior. The average person doesn't want to be bothered with texted codes, doesn't want to use an authenticator app, and definitely doesn't want to shell out up to $50 for a USB or Bluetooth security key.
Locked out by passkeys
The phone-based "passkey" system being developed by Apple, Google and Microsoft is trying to short-circuit that reluctance by leveraging the ubiquity of smartphones and the familiarity of smartphone lockscreens. It replaces passwords with the user's own phone.
Phone-based passkeys are meant to be easy to use. Turn on Bluetooth on your laptop and your phone, unlock your phone's screen, and then the website loaded in the browser on your laptop will verify the presence of a "passkey" on your phone and log you in sans password.
Yet the passkey system may not be ready for prime time. Although it was rolled out to the public in fall 2022, I found myself unable to use the system on the few websites that would let me set up passkeys in the spring of 2023.
Instead, despite an hour of fiddling about and trying different approaches, I got nothing but messages like "A technical error has occurred," "Your identity couldn't be verified," "Something went wrong" and "Please try again later." (I used a fully updated Windows 10 laptop, a fully updated late-model Android phone and the latest versions of the Chrome and Edge desktop browsers.)
"Is universal passwordless authentication actually achievable?" Gartner's Allan asks rhetorically in the company's guidelines. "The short answer is 'no,'" — except, he adds, in workplaces that either have all their applications in the cloud or use Windows authentication or passwordless IAM tools.
How Microsoft does it right
Along those lines, it's heartening to see that Microsoft has been slowly weaning its users off passwords for a few years now. When I log into my personal Microsoft account online, I'm not asked to type in a password after submitting my email address. I haven't needed to type in my password for several months.
Instead, the Microsoft website displays a number onscreen, then sends a push notification to the Microsoft Authenticator app installed on my smartphone. The push notification on the phone displays three numbers, and I tap the one displayed on the laptop to sign into the account. It's simple as pie.
Similarly, when I log into my personal Windows machine, I'm asked only to type in a PIN that is bound to the machine and is never transmitted online. As a backup, my Microsoft account password can be used to log into my PC's administrator account, but the limited-user account I use daily has only a PIN.
Microsoft gave me the option to go completely passwordless in September 2021, although I'm not ready to take that step. It did so by making sure that I had other alternatives available, including the authenticator app and a phone capable of receiving SMS text messages. With enough alternative options at hand, it's then possible to subtract the option of passwords.
How to create a passwordless glide path for your company
Microsoft's guidelines for how organizations can go passwordless follow the same route: develop and use password alternatives, start using those alternatives instead of passwords, get users comfortable with not using passwords, and finally stop using passwords altogether. (Gartner's guidelines are similar.)
The technical details differ from those in Microsoft's personal accounts and involve Active Directory and Windows Hello for Business, but the end result is the same — secure authentication that no longer relies on passwords.
However, Microsoft warns that the entire process might take a considerable amount of time, and that any organization choosing to go passwordless must be ready to commit to a prolonged period of transition.
"The road to being password-less is a journey," Microsoft writes in its guidelines. "The duration of that journey varies for each organization. It's important for IT decision-makers to understand the criteria influencing the length of that journey."
For greater insight into the implementation and management of passwordless solutions, please consider attending the Identiverse conference in Las Vegas from May 30 through June 2, 2023.