Managing your online passwords can be a chore.
Creating the kind of long, complicated passwords that best deter cyberthieves, especially for dozens of different online accounts, can be cumbersome. But it’s necessary, given the record number of data breaches in the United States last year.
That’s why it’s so tempting to dream of a future where no one has to constantly update and change passwords online to stay ahead of hackers and ensure data security. Here’s the good news: some of the biggest names in tech are already saying that the dream of a passwordless Internet is about to come true. Apple, Google and Microsoft are among those trying to lead the way.
In this hopeful future, you will still need to prove your identity to access your accounts and information. But at least you wouldn’t have to remember endless strings of eight-character (or more) unique passwords, right?
Well, maybe not quite. The answer is still a bit complicated.
What passwordless options already exist?
In theory, removing passwords from your cybersecurity equation negates what former Homeland Security Secretary Michael Chertoff called “by far the weakest link in cybersecurity.” According to Verizon, over 80% of data breaches are the result of weak or compromised passwords.
In September, Microsoft announced that its users could access services such as Windows, Xbox and Microsoft 365 without a password. Microsoft users can instead use options like Windows Hello or Microsoft Authenticator apps, which use fingerprint or facial recognition tools to help you log in securely.
Microsoft also allows users to sign in using a verification code sent to your phone or email, or with a physical security key – similar to a USB drive – that plugs into your computer and has unique encryption for you and your device.
Joy Chik, vice president of identity at Microsoft, wrote in a company blog post in September that tools like two-factor authentication have helped improve user account security in recent years, but hackers can always find ways around these additional measures. “As long as passwords are still part of the equation, they are vulnerable,” she wrote.
Similarly, Google sells physical security keys and its Smart Lock app lets you press a button on your Android or iOS device to sign into your Google Account on the web. In May 2021, the company said these tools are part of Google’s work to “create a future where one day you don’t need a password at all.”
Apple devices have used Touch ID and Face ID functionality for several years. The company is also expanding its Passkeys feature to let you use those same fingerprint or facial recognition tools to create passwordless logins for apps and accounts on your iOS devices.
So, in a sense, a passwordless future is already here: Microsoft claims that “nearly 100%” of company employees use passwordless options to log into their corporate accounts. But getting every company to offer password-free options to employees and customers is sure to take time — and it may be a while before everyone feels secure enough to get rid of passwords. in favor of something new.
That’s not the only problem either.
How secure are they?
Removing passwords completely is not without risk.
First, verification codes sent via email or SMS can be intercepted by hackers. Even scarier: hackers have shown the ability to fool fingerprint and facial recognition systems, sometimes by stealing your biometric data. As annoying as changing your password can be, changing your face or fingerprints is much more difficult.
Second, some of today’s no-password options still require you to create a PIN or security questions to back up your account. It’s not much different from having a password. In other words, tech companies haven’t perfected the technology yet.
And third, there’s a widespread adoption problem. As Wired pointed out last year, most passwordless features require you to have a smartphone or other type of relatively new device. And while the vast majority of Americans own a smartphone, these devices vary widely in age and internal hardware.
Additionally, tech companies still need to make online accounts accessible across multiple platforms, not just smartphones — and also for people who don’t own smartphones at all, which is about 15% of the United States.
In other words, it will probably still take some time before the passwords completely disappear. Have fun typing your long and complex strings into login boxes while you can.
Register now: Be smarter about your money and your career with our weekly newsletter
If your passwords are less than 8 characters, change them immediately, according to a new study
These are the 20 most common leaked passwords on the dark web – make sure none of them are yours