Why aren’t we using Passwordless?

We all know passwords are bad, but…

Why aren’t we using passwordless login? Passwords are seemingly like smoking: we know they’re bad for us, we want and try to stop using them, but alas, they exist in nearly every application, service and website on the planet. Why so if the technology exists to replace passwords with newer passwordless approaches based on cryptography, standards and biometrics? Well of course there is no simple answer. There are multiple barriers to adoption originating from different sources. However, there are a couple of avenues we can start to analyse. Passwords affect two parties – the end user and the service provider.

End User Familiarity

The end user knows how passwords work. They pick one, think it’s a good one (likely reuse it across multiple sites, tut tut) and are comfortable with how they login and reset them. Password managers are now pretty common and integrate well with both web and native mobile applications, and have likely delayed the migration away from password based authentication – by essentially removing the heavy lifting from the end user when it comes to password choice, storage and reset. The password manager phenomenon has attempted to remove some of the basic security wobbles – namely assisting in the generation of “complex” passwords, generating unique passwords per site to remove reuse and abstracting any need for the end user to even know a site password – other than a master password for their chosen storage system of course. So whilst the end user happiness has increased – they now only need to remember one password for example – the underlying problem of password deployment has not gone away.

Application Simplicity

But what about the application side? Well password functionality exists in all programming languages, libraries and frameworks. So things like password storage (with a good hashing algorithm, with salts or pre-configured iteration counts for dedicated algorithms likes argon2) are easily available. Password comparison during login, reset flows for forgotten credentials and complexity rules are all well understood, documented and available to the average developer. They don’t need to know much about password security. Implementing a password based login, does not cost anything. There are no license costs, large time effort or risk (other than the obvious with password flows) with choosing passwords for the main authentication event. Essentially incentives don’t exist to do anything else.

What incentives do we need?

Security guru Ross Anderson in his book “Security Engineering“, makes a great point regarding incentives – that essentially security failures occur as the incentives within the end to end ecosystem are misaligned with information asset protection. The same exists here with regards to the use of passwords. What are the incentives to move to a new approach? Can they be manipulated for both the end user and the application provider so that passwordless becomes a default implementation choice?

So where should vendors and application owners focus and what questions do they need to answer?

1. Can passwordless approaches increase security? Likely so, but at what cost? Is the cost quantifiable?
2. Can passwordless approaches increase usability and happiness?
3. Can the migration to a new approach be simplified for the application developer? How can a migration be automated?
4. Can the end user feel comfortable using them? If not why not? Do they need training or “nudging”?
5. Does the end user feel secure using them? Does removing a password make the end user feel less secure?

Five pretty simple questions which seem to have obvious answers. The answers of course may not be the only signal that helps develop a tipping point where passwordless authentication becomes the first choice and in turn the only choice for application authentication.

How do we get there?

I think the “there” has yet to be fully defined. Passwordless applies to both internal and external identity systems (not to mention machine to machine, application only and things like robotic process automation and the Internet of Things). But vendors are queuing up to solve the problem.

Since the start of 2020, there has been over $50 million awarded in seed and series A rounds of venture funding to organisations delivering dedicated passwordless solutions. A basic Crunchbase search shows nearly 40 companies in the sector overall – which likely excludes platform providers and cloud service providers who are starting to offer passwordless offerings – aka AWS Cognito, Google Cloud Platform and Microsoft Azure. Whilst roughly a quarter of the “dedicated providers” are generating less than a million dollars per year, the top 5 vendors could have a very conservative combined revenue estimate of approximately $260 million. So something is working.

A customer maturity aspect is clearly at play, as is a perceived lack of standardised use cases, implementation approaches and business case description.