It's Beyond Time to Kill the Password
Are you sick of passwords? I know I am. The kicker about passwords is that they’re the weakest link in the security chain of your digital life. Access to your network, bank accounts, social media accounts, email - they all require a password. And unless you’re one of the few who has changed the way you manage passwords, you’ve probably used the same password or some variation of it for all of them.
Even if you use a password manager, it’s still secured with a password!
Oh, the irony…
Then there’s the myriad of 2-factor solutions that claim they can get rid of the password. In most cases they do a pretty good job of hiding the use of the password, but they're not ubiquitous and usually cover only one of your online services at a time, which means you’re using several different methods to bypass having to remember and correctly type a password.
So, what’s it really going to take to remove and replace passwords?
The first step is for all of the operating system providers to recognize that they have to provide the option to remove passwords from their user profiles. Some are better than others at this, but Windows Server, for example, powers that vast majority of enterprise networks, and passwords are a core component of a user profile. It’s true of many Identity Access Management (IAM) and Identity as a Service (IDaaS) providers as well. Until we can take passwords out of the equation, we’re always going to be stuck with them - even if it’s behind the scenes.
The second is to replace the password with something convenient that works across everything. Apple showed us the way when they created TouchID. Apple didn’t add the fingerprint to the iPhone for security reasons. They added it for convenience. Identity authentication, which is what a username and password is supposed to provide, needs to be dramatically simplified. Using TouchID or FaceID, I can log into any number of services on my iPhone. Whether it be a bank, my car, or my home security system, I can use my fingerprint to log into all of them (after it saves all my usernames and passwords somewhere on my phone of course).
The key takeaway is that it’s convenience that gets the attention of your average user - not security.
The third is the ability to prove the veracity of your identity. What that means is that you must first prove it’s actually you. This needs to occur when you initially create any digital identity (this is often called onboarding). When the digital version of you is established, you have to show proof in some form that you are who you claim to be. A good example of how this is being done today is by submitting a picture of your driver's license or passport as well as a selfie to make sure that they biometrically match. A verified match combined with the information on your identity document can be used to prove that you are who you claim to be and that any further identity authentication can be assumed valid (2FA, MFA, etc.).
Finally, as an industry we need to move towards a self-sovereign and federated digital identity. In other words, you and I need to be in control of our own identity information, authentication methods (2-factor, multifactor, and biometric), who can use our information, and for how long. Whether it’s your employer, your bank, or the grocery store, you should be able to control how your identity is authenticated (without a password, of course) and how they can use your personal information.
These are the tenants of getting rid of passwords. It may seem like a lot of things have to align to get there, but the truth is that we’re getting close. However, the biggest hurdle to adoption isn’t technology - it’s about making it convenient to implement and use. If the IT department has to add a lot of new pieces to an already complex security infrastructure, then it will cost too much and won’t be done. If users have to install and use several different identity authentication solutions, they won’t do it.
The key to successfully getting rid of passwords is to replace them with something so convenient to implement and use that it becomes natural to use it. Then, and only then, can we kill the password.
See how easy it is with GoVerifyID - register for our live webinar showing how to install and deploy the solution in less than 30 minutes.