Micro Focus is now part of OpenText. Learn more >

You are here

You are here

The state of authentication: It's time to move on from passwords

Rob Lemos Writer and analyst

Passwords continue to be a massive security headache, so the time has never been better for applications to adopt strong authentication. And with continued efforts to push industry standards for strong web authentication, developers have a clear path forward.

Security experts have predicted the doom of passwords for many years, but 2020 may finally mark the beginning of the end for password-based security, or at least the daily reliance on passwords as a way to authenticate to online accounts.

Last year, browser makers Google, Microsoft, and Mozilla teamed up with authentication firms—​including Yubico, Duo Security, and Nok Nok Labs—​to release the first version of WebAuthn. This standard allows several different passwordless technologies to be used to strongly authenticate with online services. The standard is slowly picking up steam, as more support for WebAuthn gets built into application frameworks.

The effort, however, requires more developers to get on board. Developers must adopt framework components that implement WebAuthn, said Rich Smith, director of research and development for authentication firm Duo Security.

"We are seeing some adoption by major companies in this space, but we definitely need to get more traction so people are able to use and understand WebAuthn and become familiar with the new authentication flows," Smith said.

"[We] need to support developers and help them integrate the technology into their software and libraries."
Rich Smith

If technology firms can ease developers over the initial hurdles, however, the move to WebAuthn—and the more general Fast Identity Online 2 (FIDO2) standard—will help usher in a future with many fewer, and perhaps no, passwords.

Here are a the key things developers should know about moving on from passwords for authentication.

Businesses need passwordless authentication

In the past, companies sought to protect networks, and they generally trusted devices that connected from inside the network. However, with most companies moving software and services to the cloud, the perimeter has largely disappeared.

Instead of authenticating once in the morning and allowing the use of a device during the day, companies are taking a page from consumer services and requiring authentication whenever specific permissions need to be granted.

The move to securing devices, users, and accounts through adaptive security measures, often referred to as zero-trust security, allows companies to require that users re-authenticate whenever a key factor such as location changes. If passwords were required for what could be continuous authentication, security would certainly get in users' way.

Yet using other forms of authentication, such as facial or fingerprint biometrics, becomes possible because modern devices have security hardware built in.

Security pros can't rely on a secure network perimeter anymore, said Rolf Lindemann, co-chair of the Security Requirements Working Group at the FIDO Alliance and vice president of products at Nok Nok Labs.

"When you think of consumer use cases, it is all zero-trust, because the consumer has no perimeter."
Rolf Lindemann

Passwordless helps users

In the past, businesses have de-emphasized security measures because forcing users to enter passwords slowed down transactions. But stolen accounts and breaches have convinced businesses and consumers of the benefits of greater security—albeit grudgingly.

With a wider array of security technologies available, however, businesses are adopting a more fluid approach to authentication—also called adaptive security—where the user is asked for verification only when something changes or when the user is taking certain, high-value actions, said Troy Drewry, product manager at Micro Focus.

"The business does not want many measures in place because they have been a barrier to commerce. Companies would rather support users and customers, who are lazy, and minimize their frustration with logging in over and over."
Troy Drewry

The most common types of verification used today are fingerprint scans and facial imaging—actions that require so little effort that many users don't consider the tasks to be steps in the verification process.

More developer support available

Despite the growing reasons for moving away from passwords, moving to strong authentication technologies is not easy. WebAuthn standardizes the process through an API. The industry organizations behind the specifications know that a passwordless future relies on helping developers incorporate the technology into their applications.

Companies are already integrating passwordless tech into a variety of web frameworks and open-source libraries so they can support strong authentication as defined in the FIDO2 specification. Yubico, a maker of hardware devices for strong authentication, has released a developer guide as well as WebAuthn server code for Java, Python, and C. Duo has released its own guide as well as a open-source code for implementing WebAuthn in Python, while others have created a library for the Python Flask web framework.

"Developers should focus on their core competency, not on authentication. We need to make it simple for developers to plug building blocks together and have a secure solution."
—Rolf Lindemann

In the end, the goal is to move from the chaos of having a password for every account—one 2017 study by password-manager firm Dashlane found that the average user has 150 accounts—to a passwordless future where devices manage keys and authentication can be completed easily and on demand.

Nick Steele, a technical leader for research and development at Duo Security, said the more frequently you can authenticate people, "the more robust set of zero-trust principles you are able to build out."

"The experience will move away from the username-password combination into something that is much more seamless and that allows developers and security engineers to use authentication much more often."
Nick Steele

Keep learning

Read more articles about: SecurityIdentity & Access Management