For the past decade, we’ve observed World Password Day, an annual reminder for individuals to update their passwords. This tradition underscores a fundamental flaw of passwords: for them to remain effective, they must be changed frequently. However, people often struggle to remember these constantly changing passwords, leading to insecure practices such as pattern-based changes or even storing passwords in plain text files on their desktops.
Over the years, the landscape of login security has become increasingly complex. Security threats have evolved, with phishing attacks becoming more prevalent and sophisticated. Simultaneously, password rules have become more stringent, with fluctuating requirements around special characters, capitalization, and length. Understandably, many users report feeling frustrated by the complicated rules around passwords and overwhelmed by the sheer number of usernames and passwords they have to manage.
Despite significant advancements in authentication technologies, we find ourselves in 2023 still grappling with passwords. Given their security and usability limitations, why do passwords persist? What could a future without them look like?
At CodeB, we’ve observed the stubborn resilience of passwords, even as more of our workforce users adopt high-assurance and phishing-resistant solutions. Our customers have offered a few explanations:
- Passwords represent an accepted risk. Despite their flaws, passwords are a known entity. IT teams understand how to implement and manage them, and end users know how to create, recover, and reset them. The familiarity of passwords can outweigh their risks for businesses aiming to meet their customers and users where they are.
- Alternatives may seem unclear. Organizations might be unfamiliar with other approaches to authentication. The concept of going passwordless might seem more like a futuristic ideal than a viable option today. They may also lack the knowledge on how to embark on a new path.
- Transformation is challenging. Change always involves some friction. Transitioning from a password-based authentication approach to something else would require time, engineering effort, and an evolution of user behavior. For some decision-makers, the resistance to change is too strong.
Despite these considerations, we at CodeB decided to embark on our own passwordless journey more than three years ago. While we’re not 100% there yet, we’ve certainly learned some valuable lessons along the way.
Phishing resistance has business value. Passwords, with their susceptibility to phishing attacks, present a constant security challenge. This can be costly for businesses like ours, which have to spend significant time and money just discovering and handling these phishing threats. In contrast, passwordless flows are inherently phishing resistant, because by definition there are no passwords for bad actors to intercept. Businesses can reclaim all the time and money they might otherwise have to spend mitigating phishing attacks. In other words, going passwordless can deliver real business value.
The conventional wisdom that more secure authentication comes at the expense of the user experience is a false dichotomy. By going passwordless, we’re providing a better experience for our CodeB employees and customers. By removing passwords from the authentication process, we can save users time, reduce frustration, and lower login failure rates.
Based on our own data and experience, we’ve observed that when people use the CodeB SSI, CodeB Smartlogin/Credential Provider, and our CodeB Authenticator — our phishing-resistant passwordless authenticator — to log in without a password, they can do it in less than a third of the time it would take with a password. Password-based logins at work also fail approximately 10% of the time, compared to just 1% for logins with CodeB — a significant improvement!
We’ve made great progress on our journey to passwordless at CodeB, a journey that involves updating all of the apps and services we use to be consistent with phishing-resistant policies. These policies require end users to use at least one phishing-resistant factor, such as CodeB Authenticator or CodeB Credential Provider, to log in to their resources. We keep close track of our progress but there is always space to improve.
One major step we’ve taken to improve is to align with our Product and Engineering teams and our Customers to highlight any current platform gaps that might hinder us from getting to 100% passwordless, phishing-resistant login flows.
Ultimately, we aim to enable both our CodeB workforce and our customers to go completely passwordless. We’re doing that with new products and solutions like CodeB Authenticator. The platform improvements we’re making on our own journey to passwordless should make the path forward much easier for our customers to navigate.
Internally, I’ve received overwhelmingly positive feedback from our employees about our passwordless approach. They find it far more convenient, for example, to use their mobile CodeB Authenticator App to access their apps and accounts, particularly when traveling.
Despite the growing number of innovations like these, most Identity and Access Management solutions today are still at least partially dependent on passwords. Embracing passwordless will get easier as platform vendors and device manufacturers align on standardized flows for recovery, issuance, and non-proliferation. And consumer-centric technologies like OpenID Connect (OIDC) will help further democratize the use of passwordless credentials, much like how Touch ID and Windows Hello democratized biometric authentication.
As IT leaders, we can’t be stagnant or fearful of a world without passwords. Instead, we must move on from the past, adopt new practices, and evolve. By doing so, our organizations can start enjoying the benefits of passwordless systems: better user experiences, higher productivity, lower support costs, and of course, enhanced security.