Passwordless gone wrong

Perfect is the enemy of good (Part 2)

Here we are. Patiently waiting to continue the ride. Finally ready to travel beyond space and time. Ready to explore the mysteries of the unknown. So jump in, fasten your seatbelts. And. Off. We. Go!

Note: Where we’re going, we don’t need roads. It might, however, not hurt to read Part One first.

The past

A wise man once said “use a password manager”1. Following that easy rule would solve a lot of problems. But many aren’t following this rule. So we adapted. We declared passwords deprecated. We entered the age of “passwordless”.

Or so we thought. However, over the years, it became apparent that the age of passwordless might not come until after the year of the Linux desktop. 🤪

For those not getting the joke, here’s a short timeline: In 2004 (for those of you paying attention, this year might ring a bell), Bill Gates decided that passwords are sh*t (my words). In 2011, IBM stated that in the next five years you will never need a password again (their words). To be fair, they also predicted “mind reading is no longer science fiction” in the same article2.

After IBM started the hype train, every year since then has been dedicated by one (or more) major player(s) in the industry to being the one that marks the end of the age of the password — one way or another. A quick reality check: In the aforementioned five years, fingerprint readers became somewhat mainstream in consumer-level devices (namely smartphones), which was a step in the right direction, but far from being passwordless (I may delve into this topic sometime in the future).

Another four to five years and we finally had a chance to start thinking about passwordless environments. Say hello to Windows Hello! (This was certainly neither the first nor the best way to introduce passwordless, but it makes for the best pun. 🤷)

The way for solutions like Windows Hello or passkeys was paved by the FIDO (fast identity online) alliance, that released multiple standards for passwordless authentication. Most importantly U2F, FIDO2 and WebAuthn. Standards that are nowadays implemented in many major systems (e.g. your browser), but still not widely used.

The present

This is now. Roughly 20 years after we realized that passwords should disappear and seven years behind IBMs five year schedule. Passwords persist. And passwords will persist through 2023 (Remember: You heard it here first 😇). Nevertheless, the idea of a passwordless future persists, too. And many major players are supporting this idea. So there is hope. The foundation is done. Now it’s time to build upon.

A crack in the timeline

So now that we arrived in the present, it might be a good time to stop for a moment and finally explain what passwordless actually means: In short, passwordless means you log into your account/workstation without entering a password. That’s it. Simple as that.

I could let that explanation stand on its own and for most it would be sufficient. But giving a thorough explanation gives me a chance to introduce and explain another very important concept: multi-factor authentication (also known as MFA and 2FA).

To get this straight out of the way: Having to login with a password, a PIN and a security question is not MFA. It’s just harassment of the user.

So what is MFA? Traditionally, MFA talks about three (to four) types of “factors”. 2FA means you use factors from two of the types, MFA is a generalization and means that you use at least two types of factors. Passwords, PINs and security questions are all from one type. The factor “Something you know” or “Knowledge”. The other two types are “Something you have” or “Possession” (e.g. a traditional key) and “Something you are” or “Inherent” (biometrics, e.g. fingerprint, face, voice).

So to answer the original question: passwordless means authentication without relying on some secret knowledge. Please keep this in mind when someone tries to sell you his next big zero-trust, passwordless MFA, o thou holy, scam scheme.

Back to the future

Retrospectively, what went wrong? On the one hand, some of the proclaimed goals might have been just a little bit too ambitious (I’m looking at you, IBM). On the other hand, we just sometimes fail to take the jump, when we get the chance.

One of the few places where we reasonably could have entered a passwordless future are smartphones. Any halfway current smartphone is equipped with a decent fingerprint scanner or comes with some other way to check a user’s biometric features (e.g. Face ID). You unlock your phone by touching the fingerprint reader with one of your fingers or smiling in the camera. This is passwordless.

Or rather this would be passwordless. If we didn’t decide that fingerprints are insecure and face detection can be bypassed. The solution was — brace yourself — passwords.

Another reality check: Every smartphone is capable of doing passwordless authentication. Nearly everyone uses this (because it’s convenient). Every user is forced to use a password in addition — for whatever reason. Every second3 smartphone can be unlocked by either using the correct biometric feature or by aborting the dialog and using one of the PINs 1234, 9876 or 0852.

Yes, fingerprint readers and face detection are far from perfect. That is true. But so is a four-digit PIN. And actually the worst of all is a system where you can use either one. Arguably, a 20 digit random password might be the most secure solution to unlock your phone. But ask yourself, how often per day are you willing to enter 20 random chars correctly into your phone. Exactly. Won’t happen.

Yet, this is where we ended up. All, because biometrics aren’t perfect.

This ride is far from over. And I would love to welcome you back at another point in time and space. But for now, I take off the visor. I sit down and rest. Looking through the window, I’m reflecting on my life — watching a space otter fly by.

  1. Yeah, I’m obviously quoting my past self here. 😉 ↩︎

  2. The original article is not available any more. An archived version can be found here↩︎

  3. I got no stats here, just an educated guess. ☝️ ↩︎

Stefan Feuerstein

Managing director and co-founder

IT security likes to market itself with exaggerated scare tactics. Respect for the topic is important, but important decisions must not be driven by fear.

March 3, 2023