How to Eliminate Passwords? It Can’t Be Done.

JK, that’s not what this post is about.

Actually that’s the title of an article written in 2016.

I enjoy reading stories like these. They remind us and reinforce just how far passwordless technology has come. We can’t knock the author for claiming that the world can’t get rid of passwords. Just think about the general mindset at the time. Password-based login was all the world really knew… Apple hadn’t even launched Face ID yet. Most people were still wary of using biometrics in general. Was FIDO2 even a thing?

2016 was a very different time. And despite the pessimistic tone, ZDNet managed to get a lot right. A few interesting things stand out from this piece.

No Mention of FIDO Authentication Standards

This is a key piece missing from the passwordless puzzle. 2016 was still early for the passwordless movement and there were very few companies that had deployed FIDO authentication at scale. People were still exploring alternative approaches such as BOPS and MPC. It wouldn’t be until 2018 when FIDO2 and WebAuthn became adopted as W3C standards. That’s when the world realized FIDO would usher in a global movement away from passwords.

Today FIDO standards are powering strong authentication for millions of users across billions of devices. Apple has introduced WebAuthn into the iOS ecosystem. Android has embedded FIDO2 at the device level. The FIDO Alliance now boasts hundreds of members consisting of industry leaders such as Microsoft, Google, Facebook, and many more enterprises going passwordless.

Biometrics Were Not Meant to Replace Passwords

The article mentions that “In theory, you should be able to use your fingerprint or face or iris or something else like that to log in to third parties, and some of this has become realistic with Apple’s Touch ID and Windows Hello, but there are a lot of different potential biometrics and they’re available on different platforms and it will be a very long time before a user could use biometrics to the exclusion of passwords.”

This is spot on. At the time it was unclear (to most people) how biometrics were supposed to replace passwords. Some folks even thought that by simply activating Touch ID they had magically become “passwordless.”

It was unclear that mobile biometrics were primarily a passwordless user experience feature that would need to be married with open standards to actually eliminate passwords. We outlined this in our 2016 paper, introducing the world to True Passwordless Security. It has been a thrill to see this vision come to life as many organizations today are following this trend of combining Touch/Face ID with open standards and Public-Key Encryption.

Over-Analyzing the Role of SAML, OAuth, and OIDC

The article spends some time rationalizing the role of these standards for passwordless authentication. This thought process isn’t misguided, it just isn’t what these standards were meant to accomplish.

It’s true that since the widespread adoption of Single Sign On (SSO) standards such as SAML and OAuth/OIDC, the authentication industry successfully reduced the number of passwords people need to remember. Unfortunately, the popular Identity Provider (IdP) platforms have built their entire product lines on top of the password. We explore this concept in our white paper on Decoupling Authentication from Identity.

The article is correct in scrutinizing the role of these standards, stopping just short of saying that authorization is NOT authentication. While it gets these ideas right conceptually, it fails to acknowledge the existence of strong authentication standards such as FIDO. We shouldn’t fault ZDNet for not “predicting the future” correctly — it’s just interesting to see how at the time the conversation was all about identity and not authentication.

There Were No Proof Points

Let’s be real about this. At the time there were no major case studies of passwordless deployments. Even HYPR was just rolling out at some of our earliest customers. Fast forward to 2020 and we have Microsoft proclaiming more than 150 Million people use passwordless login on Windows every month. That’s not even counting the billions of Android users with embedded biometrics, FIDO2 enabled devices, or the many iOS users who are using passwordless authentication every day. An Apple stat from 2016 suggested people use Touch ID more than 80 times a day. That number is probably even higher today.

Calling Password Managers “a Hack”

The article gets this right in that it doesn’t suggest password managers will solve the password problem — only that they are a good enough band-aid for now. That is rapidly changing with some of the younger generations getting less and less exposure to the password manager. Just this summer we ran a study on password manager usage among millennials — with some surprising results.

Underestimating the User Experience

This is the only major flaw in the article that needs to be pointed out. The piece doesn’t mention User Experience (UX) at all. Not once. That’s not their fault as the common misconception at the time was that passwordless was purely a security initiative.

In reality it is the improved UX of password elimination is what has been driving its adoption and innovation. People want a faster and easier login. They want a consistent experience. They want to be extra secure without having to actually do anything extra. The reality is that the elimination of passwords has more to do with people’s desire for a better login and less to do with the actual security benefit. We can’t fault anyone in 2016 for missing this point, as it isn’t terribly obvious to everyone in 2020 either.

So no, I don’t have a happy ending for you. I see password proliferation, password confusion and password breaches in our future as far as the eye can see. The best solution for now is a password manager, hack though it may be.

-ZDNet

The article ends with this.

A lot can change in 4 years.