Blog

A World Without Passwords, Is It A Good Idea?

Today, Microsoft has announced that it will support USB keys that allow you login to everything without a password. Their goal is to create what it calls a “passwordless future”. We believe that the concept of having a "passwordless" future is good, but it comes with security issues and caveats. Google announced something similar few months ago.

First, it requires a piece of hardware that you need to carry with you at all times or, like many do, stick it to your computer so you don’t lose it. What happens if you lose it? You are going to be stranded until a replacement arrives. You have to remember that your life online will be dependent on this piece of hardware manufactured by someone you don’t know. It’s "passwordless", but not without effort. You have to stick it into a USB port, and you need a compatible USB port. Most people do, but there are some who don’t have a smartphone yet or aren't allowed to use them in security areas, so it won’t work for them. It's also possible to have malfunctioning issues with the USB drive then again, you’d be forced to wait for a replacement or fix. And instead of carrying that USB device around, we've seen many leave it in their USB drive or taped to their computer for convenience reasons. Then of course anyone who has access to that computer will be able to login and impersonate that user. There won’t be any security at all in that case.

Second, not a lot of security folks are delving into how these USB drives are manufactured. They can be compromised by a virus at any time between when they are manufactured to when you receive them by mail or buy from a store. This has already been reported numerous times.

Third, which we believe it’s the most important point of all, if you use a third-party device to validate your authentication, you are depending on that third party to provide an accurate response. In security, you have to measure risks, and consider worst case scenario probability. It’s possible that eventually everyone on earth will be using third party validators such as a USB drive, and the entire world will depend on third parties to validate their authentication, and it’s also possible that the entire market consolidates into one major player and that major player becomes a bad actor (or has an employee with nefarious intentions). If that happens, you will be able to authenticate only if they want to, no matter if your authentication is valid or not. This is obviously an extreme end result, but the consolidation of much of the manufacturing processes are already taking place worldwide. The only thing that exists today without the need for a third party to validate your credentials is the username and passwords. The password is a direct relationship between you and the site you want to authenticate to, and it can be replaced at anytime. There is no third party necessary and that risks mentioned are not present. So, passwords, realistically, aren't going away any time soon - at least not without some major security risks of which every VP of Engineering, CISO, CIO, and IT manager should be wary.