Well, maybe not yet, but it’s definitely moving in that direction.
The basic tenant of current security is that you authenticate using 3 types of information:
- Something you are, such as a username or email address.
- Something you know, such as a password or PIN.
- Something you are, such as a Fob or app on a smartphone.
But with current technology, these are getting blurred, and in many cases shifted. For example, Microsoft’s Hello implementation will let you login with your user account (Something you are), your computer that you have registered on (Something you are), and your face (also Something you are) – no Something you know. But no Password is involved!
Similar methods such as finger printer readers, retinal scanners, or voice recognition will also replace using a password. Apple and Google are implementing a similar technology called PassKey (which Microsoft says they will support, too) that utilizes these biometric devices to replace passwords.
Of course, if the device can determine that it’s really you, what’s the point of asking for a password? In fact, MFA will no longer be needed – just walk up and authenticate. Passwordless authentication makes everyone’s life so much easier. No remembering passwords or having to go through the process of resetting them when we forget.
Currently, there is some extra overhead in the initial authentication. Generally, you still need to enter your username, password and MFA code to prove it is really you and to associate your face, eyescan, fingerprint, etc. with you. But as these extend to centralized authentication systems, expect that overhead to go down over time.
The two biggest hold ups to broad rolling out of passwordless authentication is adoption of standards and implementation. Having integrated components on your computer that can read biometric data is by no means widespread. Most (but not all) laptops come with cameras now, but a smaller number come with fingerprint readers. Few desktops come with these. You can’t be passwordless if the devices you use don’t support passwordless authentication.
The second component is vendor implementation of the standard. Until just recently, Microsoft’s standard only supported passwordless authentication to individual machines. That is, you couldn’t record your biometric signature on one and then use that to logon to another computer. Microsoft, Google and Apple are all working on business level passwordless authentication, but they are still fairly new and immature. Only after the support gets stable will third party authentication services will start to support that platform’s passwordless authentication.
So passwordless access for our business clients might not quite be there yet. But stay tuned. As soon as it is, we’ll be knocking on your door to help you implement it for your business and make everyone’s life easier.
Robert Hood
CEO & Founder
SpotLink