If Not Passwords, Then What?

If Not Passwords, Then What?

Katie Wah

Passwords are a pain, they’re both a massive security risk and an operational inconvenience for admins and users alike, but when we eliminate passwords, what do we replace them with? There’s a lot of buzz around passwordless authentication but it isn’t clear what should replace passwords. The security industry often discusses passwordless authentication in broad strokes, without sharing exactly how to authenticate users, securely and easily. If we’re going to rethink the entire login process, it better be with something that’s more secure, convenient, and inexpensive. So what should we use instead of passwords?

There are alternative authentication methods to choose from. Hypothetically, you could use any of these methods as a first step or second step to login. Yet each of these methods vary on the security and convenience scale.

In the past, we’ve just assumed that we were stuck with passwords and the risks that came with it. So we decided to add alternative authentication methods on top of the use of a password, most commonly a mobile push or one-time passcode, what’s also known as multi-factor authentication (legacy MFA). These are added as a bandaid, a second step on top of a password. However, this doesn’t get rid of the pains and security concerns of passwords. With legacy MFA, users still use passwords; they still need to create, remember, and change passwords. Since it’s so easy to copy, guess, and steal other people’s passwords, that means user accounts still need to be protected from unauthorized access.

Instead, what if we went back to the drawing board to rethink how users login so users never need to use a password at all?

What’s changed so that we can securely and easily use other authentication methods as a first step to log in?

  1. The proliferation of Trusted Platform Modules (TPMs) and secure enclaves
  2. The prevalence of built-in biometric readers in modern devices

Biometrics and other sensitive identifiers such as cryptographic keys have been around for a while, but we didn’t have a safe place to put them. Biometrics are great because they’re something you are, such as your fingerprint or your face. It’s hard to steal someone’s finger or face. It’s also not something that you need to remember, it’s something you innately are. Biometrics are also extremely sensitive because it’s something you can’t change, so it’s crucial that it’s stored securely. That’s where TPMs and secure enclaves come in.

TPMs and secure enclaves are cryptographic-processors on a separate hardware chip on your device. Most modern devices, including mobile devices and computers, have TPMs or secure enclaves. Think of TPMs as a containerized magic box, where sensitive data and applications can be run (see Nishank Vaish’s description on why enclaves are taking over the security world on Infosecurity). Secure enclaves are also the reason why the government, nor Apple can access your device without your permission. Granted, it is possible to steal a biometric - such as chopping off your finger - but that’s much harder to do than to simply purchase or steal a password off the dark web, to capture a string of characters and numbers to login.

Fingerprint and face readers have also become more prevalent on modern computers and mobile devices, and consumers have become more familiar and comfortable with this technology. It’s become second nature for consumers to utilize their biometric to login to devices. In fact, most modern devices, if they don’t support a biometric, support a local pin, which is much more secure than a password. This has primed users for passwordless elsewhere in their lives.

This has created the perfect breeding ground for people to login securely, easily, and password free. It’s time we use the momentum from TPMs and built-in biometrics to identify users and authenticate them into applications. It’s time for users to take back control of their digital identity. We should be able to login with “who you are” and “what you have” (your biometric and keys on your device), not “what you know” (a password).