Passwords aren't going to become obsolete any time soon. But when that does happen, it will likely be approaches such as Apple's Passkeys and Microsoft's passwordless sign-in option that replace them.
Passkeys, which are stored in the iCloud keychain, are a preview feature in Apple's iOS 15 and macOS 12 Monterey operating systems that will eventually become available on all iPhones, iPads, and Macs. The technology is designed to let users sign into websites and applications without using passwords and without having to share passwords with those apps and sites.
Microsoft's passwordless sign-in option gives consumers different options to sign into apps and services such as Microsoft Outlook and Microsoft OneDrive. These techniques include using the Microsoft Authenticator app, the Windows Hello biometric authentication, a verification code, or a security key.
Do these approaches herald a passwordless future? Here's what you need to know.
How they work
Apple has described Passkey as a new kind of credential in the iCloud keychain. The technology is based on the Web Authentication API (WebAuthn), a rapidly emerging standard that uses public key cryptography instead of passwords for authenticating users to websites and applications. With WebAuthn, a public-private keypair is created for each website or app that a user might want to register for.
The public key and a randomly generated user ID are stored on the server. The paired private key is stored on the user's device and is used to confirm the user's identity to the app or site without sharing the key. The approach eliminates the need for servers to store user passwords. The public keys stored on the servers are of no value without the associated private keys.
Apple's Passkey is basically a WebAuthn credential built into the iCloud keychain that can be synced across all Apple devices. It allows users one-click access to websites and apps via Face ID or Touch ID.
Apple says it will store Passkeys in the iCloud keychain in an end-to-end encrypted fashion so that even the company can't read them. It has described the technology as being simpler, faster, and more secure than password-based authentication mechanisms—even those involving two-factor authentication.
Importantly, it eliminates the need for users to create, remember, and constantly renew passwords and significantly reduces the risk of attackers stealing passwords or cracking weak ones to access enterprise networks and data.
Meanwhile, Microsoft's approach to a passwordless future leverages several of its existing authentication technologies such as Windows Hello and Microsoft Authenticator. To enable the option, users need to install the Microsoft Authenticator app and link it to their personal Microsoft account.
Then, users simply must turn on the "Passwordless Account" option from the account sign-in page to get rid of the password as an authentication mechanism for their Microsoft account. Microsoft last March had rolled out a passwordless option for commercial users of its technology.
Is a passwordless future near?
Tyler Shields, chief marketing officer at cyber asset management and governance solutions provider JupiterOne, described Apple's proposed approach as a significant advancement over using regular passwords. "In essence, this creates a system where each site can have a long and difficult-to-guess strong password and the user will not have to remember any of it," Shields said.
Instead, users will be able to use biometrics—such as Face ID—to gain access to the keychain and have the keychain submit the password on their behalf. "This is a great option and an improvement over standard passwords," Shields said.
Many perceive Apple's Passkeys and other technologies based on standards such as WebAuthn as a precursor to a passwordless world. But the technology is still some ways off from being widely deployed, leave alone replacing passwords—for one thing because it currently works only with Apple devices.
There are other issues as well. Yuval Glaser, product manager at CyberArk Identity, said Passkey and similar approaches from Google and Microsoft will take the industry closer to a passwordless world, but so far, the approaches that have emerged are primarily consumer-oriented.
"Passwordless authentication is becoming accepted and adopted in enterprises," Glaser said. "However, passwordless is a journey, especially for enterprises, and far from something that can happen overnight."
Broad enterprise adoption a long way off
Glaser said moving away from passwords in enterprises will take time simply because of how deeply entrenched legacy-identity management technologies, including Active Directory, are in those environments. Some enterprises are deploying passwordless authentication methods in limited fashion with single sign-on approaches to try to reduce the number of passwords in their environments.
As one example, he points to CyberArk customers using a QR code with their authenticator app to validate users to apps.
Even so, enterprises generally tend to be more risk-averse than consumers, especially because many applications and identity management controls are engineered to require passwords. So, initially at least, passwordless authentication approaches will have more consumer use cases, Glaser said.
"Given Apple’s leadership in consumer devices, the Passkeys in iCloud keychain will pave the way toward a passwordless future from the end-user perspective," Glaser said.
Others view such technologies as not necessarily eliminating the use of passwords but rather changing the way users interact with them. Joseph Carson, chief security scientist and advisory CISO at cloud identity security vendor ThycoticCentrify, said passwords are not going away so much as moving into the background.
"It is not really a passwordless world but more of a less-password-interaction world, as passwords will still exist," he said. The only thing changing is that users will increasingly not have to use passwords in as direct a fashion as they do currently when entering their credentials into an account login page.
Don't forget about those left behind
Approaches such as the above-mentioned PKI certificate and WebAuthN, along with OAuth, OIDC, and other federated systems, are options for a growing number of applications. But older legacy applications that lack modern interfaces (APIs or other) may not as easily be brought into the passwordless world.
Troy Drewry, product marketing manager at Micro Focus, said that some third-party applications not under an enterprise's direct control, such as older web apps and of course the thick applications for desktops, may not work without the tried-and-true password setup. But, he said, "there are solutions to this large remaining sector of applications. The best of these provide integration without any changes to the applications themselves."
"Where direct integration is not possible, it is still possible to provide passwordless integration and even layer in multi-factor." said Drewry. "There are solutions for this ‘last mile’ security challenge. These provide the desired user experience and can be implemented and managed with relative ease."
Time will tell on the password's future
Already, technologies such as those used for privileged-access security have helped move passwords used by system administrators, cloud admins, IT security staff, and other high-value users into the background by putting them into secure vaults with specialized access controls around them, Carson said. A growing number of organizations have begun applying the same idea for passwords used by broader sections of business users as well, he added.
"In reality, we are not far away from moving passwords into the background, and the only time we will need to interact with them is after device reboot, device enrollment, backup and recovery, or when the security risks and threats increase," he said. "Password security will become more adaptive and will work in the background while other security controls will verify the user's identity and authorization."
Keep learning
Get up to speed on Zero Trust security with TechBeacon's Guide.
Understand why API security needs access management with this Webinar.
Learn how how privilege and policy management improves your cyber resiliency in this Webinar.
Find out why Zero Trust means rethinking your security approach.
Answer this question: Is your environment adaptive enough for Zero Trust? Get this free white paper.
