The WEF cyber security center has published their report on Passwordless Authentication. I was happy to contribute, and in the past have found myself calling for the death of the password. While perhaps over dramatic, I do believe that we need to embed different approaches to seamless authentication for our digital infrastructure.
Passwords, while a traditional and very human sharing of secrets, have major shortcomings. Organized crime has been very effective in exploiting our propensity for choosing our favorite football team or pet name; while also decrypting passwords retrieved from data breaches as a rich source for increasingly sophisticated automated password guessing attacks.
It is time to try and move to new forms of authentication whether they be biometrics bound to our personal devices, behavioral patterns or the possession of cryptographic hardware tokens. Indeed the authentication models for the future may be a combination of all of these factors, delivering appropriate confidence that we are who we say we are—and allowing us to complete our transactions in the digital world. The alternative models in the WEF paper are a start, there will be others, and we will need the cryptographic architectures to support these models—hopefully quantum safe!
Yes the move will be difficult—we are curiously comfortable with passwords while simultaneously complaining when we forget or mistype, or when the web site's password complexity rules don't match our view on what a good password is. And yes, there will be legacy systems which need to be transitioned or 'wrapped' with new authentication systems.
But like floppy disks and the VHS video cassette, perhaps the password has had its day, and we need a new authentication (and perhaps identity) model for our digital world.