Is the Future of Cybersecurity Passwordless?

Do you remember creating your first ever password?

A password, an arbitrary chain of characters comprising letters, numbers, and symbols, is employed by a user within the authentication process to access a computer system, an application, a device, a website, or a platform – like a key to a lock. But we'd wager your first password wasn't the most sophisticated of forms.

When you created an account in the early years of Friendster, MySpace, or Facebook, or signed up for a Yahoo email for the first time, you (or someone you know) probably chose a password inspired by personal information for easy recollection: a combination of your birth year and month, perhaps, or the street you grew up in, your childhood pet's name, or maybe even your favorite band.

But the easier your password is to recall, the likelier it is for hackers to guess, as well. We've since learned that this is the wrong way to devise passwords, and the consequences have shown us just as much. According to Verizon's 2017 Data Breach Investigations Report, people still fail to set strong passwords, with 80% of hacking-related breaches leveraging stolen, weak or guessable passwords. A report by Security.org on America's passwords habits in 2020 also showed that 45% of Americans use passwords that are eight characters or less, while only 15% use strong password generators.

Cybercriminals can easily crack such passwords through brute-force attacks – where hackers use automated software to test large quantities of character combinations – and dictionary attacks, where hackers attempt to guess a user or organization's password by using a wordlist of common words and phrases, such as 123456, qwerty123, password, and the like.

The First Computer Password

The first computer password was presumed to have been created in the 1960s at the Massachusetts Institute of Technology, where researchers worked on a compatible time-sharing system (CTSS) project.

The late computer pioneer Fernando Corbato, who many consider helped create the first computer password, told Wired in January 2012 that a problem they had then was setting up various terminals, which were used by different persons with each having his own set of files. Putting a password for each user, then, seemed like a solution. But what was thought of as a no-nonsense solution turned out to be easily compromised. Shortly after implementing passwords, the CTSS experienced password theft – believed to be the earliest recorded password theft case – after a researcher simply printed out all the passwords stored on the system and shared it with other users.

Two-Factor Authentication, Multi-Factor Authentication, Passwordless

These days, however, using a single password for logging in is no longer the norm and no longer advised, due to the emergence of two-factor authentication.

In two-factor authentication, a user confirms their identity by using two different types of factors: the password being one, and an additional factor to increase login security, such as with a pin, an SMS code, an authenticator app, or facial or finger scans through a device like a phone.

But there are pitfalls to these types of two-factor authentication; while depending on your phone as an authenticating device can be convenient, it’s debilitating once lost or stolen and expensive to replace.

USB Security Keys

What choice are we left with? Nowadays, hardware security keys are making a name as the new kid on the security block, promising the highest levels of online security and ease of use for two-factor authentication, multi-factor authentication, and even as single-factor passwordless authentication.

Going from using passwords to none at all may seem counterintuitive for many, especially since we've been using passwords to protect our data for the longest time, but be apprised that depending completely on just a username and password makes one vulnerable and at risk of data breaches.

Consider Yubico's YubiKeys, touted in the market as the number one security key for strong two-factor, multi-factor, and passwordless authentication. Resembling a sleek USB, the YubiKey allows users to replace weak passwords with effortless, passwordless "tap-n-go" secure logins, as well as a tap-n-go factor for two-factor or multi-factor authentication for added protection. It also allows multi-protocol support, such as smart card (CCID), Universal 2nd Factor (U2F), FIDO2, OpenPGP3, and One-Time Passwords (OTP).

Taking inspiration from the word "ubiquity," the YubiKey makes itself accessible and compatible to numerous enterprise, developer, and consumer applications and software. Microsoft users, for one, can easily experience passwordless authentication when logging in to Microsoft 365 web apps on Chrome and Edge desktop browsers, as the YubiKey 5 Series can directly authenticate with Microsoft Azure Active Directory.

Imagine no longer typing a password to log in and being safer and protected for it. YubiKey makes this possible and just might spell the near future of passwords: no passwords at all.