Published at www.techradar.com
Passwords? Who needs passwords?
Apple is no stranger to making headlines around its annual WWDC Conference (opens in new tab) back in June 2022. While its products reach consumers and businesses all over the world, one of the biggest headlines from the 2022 conference were not about a slimmer, faster new iPhone, but the company’s planned replacement for passwords that will be coming soon to Safari and iOS; a plan to make even the best password managers (opens in new tab) all but obsolete.
The password problem is well documented these days. With 39% of UK businesses being hit by cyber attacks last year, with phishing attacks accounting for nearly 90% of these, the security limitations of passwords are clearer than ever. And we all know what a poor experience passwords offer. The growing number to remember, plus the required complexity of these means the re-use and sharing of passwords is rampant. 72% of enterprise workers admit to reusing passwords, increasing vulnerability to costly account takeovers, data breaches and even stolen identities.
Alternatives to passwords have been introduced in various forms over the last few years to counteract the glaring faults passwords present. Multi-factor Authentication (opens in new tab) (MFA) has helped some businesses improve security; however, the significance of Apple’s latest announcement and what it means in the move away from passwords is nothing short of mighty.
What are passkeys?
Apple’s passkey technology utilizes well-established industry standards from FIDO Alliance that Apple has been a part of during their development, working with other tech companies and service providers from across the globe to reduce the collective reliance on passwords.
FIDO Alliance passwordless sign-in standards are already supported in billions of devices and all modern web browsers. The latest development and expansion (opens in new tab) in capabilities has been led by Apple, Google and Microsoft, who are now building support for these into their platforms – and, in turn, making these available across the world’s most popular browsers (opens in new tab) and operating systems.
This new passwordless standard presents a huge variety of benefits that passwords simply cannot provide. It enables a more seamless sign in by allowing users to automatically access their credentials across multiple devices, eliminating the need to re-enroll every account. This ensures that users will have a consistent experience regardless of what browser or operating system they are using to log in. The user experience couldn’t be simpler either, enabling log in via biometrics (opens in new tab) or PIN on device just as users are currently accessing their devices.
You can forget passwords but you can’t forget your face
Security and convenience are two of the most important features needed to truly enable the full eradication of passwords – biometric verification provides both to a high standard.
Unlike passwords, biometrics are tied to an individual person and unique to them. This means they do not suffer from the limitations passwords present when it comes to shareability and theft. While it is true that nothing is unhackable, modern biometric technology is highly robust and requires significant time, effort, money and expertise to compromise.
It is almost impossible for biometric verification to be used at any scale, as even successful spoofs are based upon one person and one device or app, limiting the number of attempts that can be made. With passwords, only one needs to be compromised for it to then be easily shared or uploaded to the dark web. And because the password was most likely used for multiple accounts, one compromised credential can quickly offer access to multiple accounts. Ultimately, biometric verification takes the responsibility away from the user as you can’t forget your face or give it away as we do with passwords in phishing attacks.
Why face verification?
Any truly effective password replacement must be agnostic of device, scenario or user. Facial verification is the strongest candidate among the biometric identifiers to deliver this for several key reasons:
- Sturdy security – Facial verification that uses liveness ensures the person authenticating is a real person and not a spoof attack using a photo or mask. Industry leading solutions offer another step up from this – advanced verification technology ensures a user is authenticating in real-time and is not a synthetic image.
- Ease of use – When it comes to setting up facial verification, all the user needs is a smart device (such as a laptop (opens in new tab), smartphone (opens in new tab) or tablet (opens in new tab)) with a camera and a provider’s SDK that can be integrated into an organization’s application. There is no need for costly additional sensors which not only makes it more cost effective for organizations, but also ensures users can use their existing personal devices.
- Inclusive UX – The highest level of inclusivity and accessibility is crucial for authentication methods to be able to offer a passive authentication experience. Users merely need to look at a screen for facial verification, avoiding cognitive overload and navigating most physical impairments a user might have.
- Users already love it – Facial verification is not a new and unknown technology. Users have been using it to access their devices and applications for years, with more than 30% of consumers already choosing it to access mobile banking.
The future is passwordless
Apple’s WWDC announcement on passkeys is just one of many nails in the coffin for passwords, and it’s clear biometrics will be another when it comes to identity management (opens in new tab). While passwords won’t be totally eradicated in the very short term, organizations, service providers and device manufacturers should now start to consider the future of this biometrics-led and passwordless world, with face verification on top of RFPs.