Is the end of the password nigh?

Caroline Scotter Mainprize | April 16, 2018

Fed up with trying to remember up to 100 different passwords? There could be an end in sight… though not without its own challenges.

The Web Authentication (WebAuthn) standard is just one step away from formal approval. When put into practice, it will mean that we can do away with passwords altogether, instead using biometrics and other devices that users already own, such as their smartphones. Biometric authentication is already being used by some organisations such as Microsoft, Apple and Google (fingerprint scanning and facial recognition) and HMRC (voice recognition). WebAuthn will provide a vendor-neutral standard across the web.

Benefits

  • The most obvious benefit is that it will generally increase security. Passwords are the weak point in any system, with even the longest and most complicated open to being hacked by a brute force attack or compromised by poor record keeping and administration.

Challenges

  • We’ve all seen those films in which the villains hack off the hand – or head! – of an authorised person in order to use their biometric data to get into top secret government facilities or bank vaults. Yes, those are extreme, and fictional, examples – but replacing passwords with biometric authentication could make physical coercion of individuals more likely in some situations.
  • More mundanely, WebAuthn will work best when there is a reliable mobile and/or broadband service, including wifi. This can be particularly challenging in a domestic setting, but businesses can have problems too, especially with mobile coverage, which is not under their control.
  • Businesses may need to rethink how licences for some services work. It is typical to buy one licence for, say, a media database or web-based CRM tools and let everyone in the team know the login details. Only one person can use it at a time, of course, but teams are mostly happy to work around that. If it becomes a real problem, they buy more licences. If biometric authentication forces teams to buy a licence for every user it may become unsustainably expensive – with the result that they don’t buy anything. Businesses that license products could gain a competitive advantage by thinking ahead about single-licence, multi-user situations.
  • Expecting people to use their own smart phones to provide the biometric authentication could be problematic in all sorts of ways. On the other hand, this could be an opportunity for a company smart enough to create a market for work-specific biometric readers.
  • And for businesses that don’t adopt WebAuthn (and there will be a large number of them) there will have to be a backwards-compatible option with a password. So will WebAuthn ever be enforced as the standard?

It’s a fascinating topic and raises all sorts of questions for individuals and every size of business.