If I walked up to you and said you never had to enter a password for any login ever again, you might throw your arms around me and act like it was V-J Day in 1945 in Times Square. Passwords are the grit in our digital oysters, and all the friction of creating them with arbitrary and outdated rules, memorizing or managing them, changing them on a schedule, and entering them perfectly sadly never forms a pearl.
Which is why the enterprise security company MobileIron has upgraded its suite of authentication products to allow IT managers to abolish the password, relying on mobile devices for what it calls “zero sign-on” access. The firm relies on security features in modern hardware coupled with other signals to make a no-password login as secure as one with a password.
For now, MobileIron is at the leading edge of the shift away from passwords. But the move is nowhere near as radical as it sounds, and other companies are working on technologies to give consumer apps and websites better security that requires less work on our part. If the password is indeed on its way out, its death will be every bit as delightful as you’d expect.
1960s technology, 21st-century challenges
The password became the default quantum of identity almost accidentally. Its origin is believed to date to the 1960s, when it was introduced on a an early time-sharing system at MIT. At the time, it provided a simple way to keep files private on a single machine when few computers existed in the world.
Managing one password for one computer was easy enough. But no one predicted that people would end up with so much online data to secure. Multiply billions of devices times billions of accounts, and it’s been clear for some time that passwords don’t scale.
Password management software such as 1Password and LastPass can be a big help, but it still leans on the password as proof of legitimacy. Second-factor authentication (2FA) is often cited as a way to solve password problems, and it does deter account hijacks that rely entirely on a password—but it’s more like a second password than a way to move away from passwords altogether. And 2FA doesn’t provide impermeable defense of data, especially when the factor is sent via text messaging. (The draft of a NIST white paper on best security practices in 2016 that suggested eliminated text messages as a second factor was watered down to remove that recommendation by its release in 2017. It’s unclear who was behind the change.)
Most people still don’t use a password manager, which leads many to select the weakest password they can get away with under whatever rules an organization or site sets. That makes most passwords somewhat or highly vulnerable to cracking. With many businesses relying on scads of services to get work done, one service that allows weak passwords–or suffers a breach–can render many other linked services vulnerable.
To avoid a password is to rely on an approach in which identity and access are paired. Once you have enrolled by proving sufficiently who you are and that you own a given device that requires biometrics to unlock–a fingerprint or facial scan–a password doesn’t provide any additional assistance.
MobileIron wants to lean on that “mobile” part of its name for real. “One of the things that has changed dramatically over the last few years is the use of mobiles as the primary [devices] that an employee will perform their tasks on,” says CEO Simon Biddiscombe.
With that mobile-first or mobile-always-available approach, MobileIron can shift the weight of authentication factors. In multi-factor security systems, the factors are usually described as something you know, something you have, and something you are. What you know is usually the password, which has been the foundation of security. But if a security system can grant access based on something you have (like your mobile device), and something you are (a biometric parameter), you need not know anything, and the password isn’t necessary.
The most widespread example of this is mobile payment systems such as Apple Pay and Google Pay, which let you enroll a credit or debit card. When you pay using that card, the systems authorize the transaction based on something you have (your phone, watch, or tablet) and something you are (a biometric confirmation via a technology such as Apple’s Face ID or Touch ID). “Apple Pay is my favorite example of a consumer app that feels an awful lot like what we’re doing in the enterprise market,” says Biddiscombe.
The particulars of MobileIron’s new zero-password option will matter to its current and future customers, who will get to stress out less over breaches and password management. But its implications are far broader. The subversive idea of killing passwords at a corporate level provides some insight into how the smaller-business and consumer market could shift strongly away from the most hated single element of computing.
Too many passwords
MobileIron’s bread-and-butter is authentication, so you’d think it would be fixated on passwords rather than trying to get rid of them. Back when the iPhone was new, the company’s founders recognized that executives would buy Apple’s phone and want to access email, while IT departments would be irritated at these new devices they hadn’t vetted and anxious about providing secure access.
In recent years, MobileIron has shifted to all sorts of mobile (and desktop) end-point security and single-login access across intranet, cloud, and hosted services with which employees at a single company might be constantly interacting. Workers might use Office 365, Dropbox, Salesforce, and a corporate email server at the same time, and want easy access to all of them, no matter where they are.
Biddiscombe also points out that increasingly, mobile workers aren’t just the white-collar employees that enterprise software systems have traditionally focused on. Their numbers also include meter readers, package deliverers, factory workers, tree trimmers, people accepting a rental-car return, and many others. Burdening those workers with passwords, when they’re typically in the field or deep in a factory, doesn’t help their productivity. And that hurts a company’s overall efficiency.
In that context, MobileIron hears a lot–a lot!–of feedback from its IT customers about the pain of passwords. Single sign on (often abbreviated SSO) to multiple accounts was supposed to take some of the pain out of that, by letting corporations use their internal logins to validate access to third-party services. But SSO still means both signing on lots of places and entering a password multiple times.
The problem is real
MobileIron recently commissioned a survey of 200 executives and others who make decisions about cybersecurity, mostly in companies with 1,000-plus employees. Those surveyed say they’d halve their risk of breaches by eliminating passwords. From broader user surveys, The survey also found that almost half of support requests have to do with password or multi-factor lockouts.
Ninety percent of the cybersecurity leaders said stolen credentials had led to unauthorized access attempts, while a whopping 86% declared they’d give passwords the heave-ho if they could.
These problems and attitudes come on the heels of many years of security experts and IT gurus trying to discourage companies and individuals from relying on passwords as a security be-all and end-all.
The FIDO (Fast ID Online) Alliance started up in 2013 with the idea of eliminating the paradigm of passwords as the most important authentication element. The group’s membership includes nearly every key financial, telecom, dotcom, and software company, including American Express, Amazon, Google, Facebook, and Microsoft. (The list can be best summarized as “almost everybody except AT&T and Apple.”)
FIDO stresses public keys, the neat mathematical magic that allows people to have an secret “private” key while also distributing a paired public key used to prove their identity or encrypt messages only they can decrypt.When using a website that supports FIDO’s U2F (Universal Two-Factor) standard, a user first enrolls and proves their identity in one of a variety of ways, including registering a hardware token–from firms like Yubikey–that has built in a tamper-resistant and unique public/private key pair.
On a subsequent visit, a U2F-using visitor still enters a password as a first step, and then taps or clicks the U2F hardware key that generates and transmits a signed message. The verification is also bidirectional, unlike most logins: Both the user and the site transparently deliver security credentials to prove their identiy, which helps deter phishing attacks. (Web security certificates work in a similar way, but aren’t designed specifically to protect user accounts.)
Now imagine the above scenario, only without a password being involved at all. That’s the alliance’s goal, and a bundle of newer standards called FIDO2 have brought it far closer to reality.
With FIDO2, the spec was broadened to allow not just the standalone hardware keys that were required in the alliance’s earlier days, but also any mobile and desktop hardware that includes a hardened, separate security chip that handles cryptographic and biometric identity. This includes Apple’s Secure Enclave, which has been in every new iPhone since 2013; a variety of chips in modern Android phones that adhere to similar principles; and the Trusted Platform Module (TPM) chip found in many desktop and laptop computers, and which is clearly on its way to becoming a standard feature.
FIDO2 can give apps and websites an Apple Pay-like login experience on well over a billion devices–maybe even a couple billion–with no additional effort on a user’s part.
Last last year, Microsoft adopted several different no-password login options for its accounts, some of which rely on FIDO2. In February, Google announced that any Android device running version 7 and later now conformed to FIDO2 standards, bringing no-password logins to a host of users.
As with the FIDO Alliance, Apple seems for now to be the holdout, although it allows third-party apps–but not websites–to use Touch ID and Face ID for authentication after enrollment within the app. If the company made it a priority, it would likely be a short step to supporting FIDO2’s Web-based login standards.
The time is right
If I’d told you a decade ago that you should get rid of your passwords, you would have thought me deranged, because everything up to that point indicated we needed better, stronger, longer passwords to defeat the breaches already cropping up seemingly daily.
But 10 years of account breaches revealed that many companies of all sizes do a terrible job of securing passwords. It also showed that many users choose weak passwords, though we shouldn’t blame them, since a weak password is the best response to a badly designed system.
It’s time to kill the password, and with companies like MobileIron working at it for corporations and Google and Microsoft doing the same consumers, we can wave a not-very-fond farewell to a bit of brittle chewing gum that’s managed to hold the gubbins of security together.
The future can be as a simple as a glance. As MobileIron’s Biddiscombe says, “I just stare at my device, and my device knows it’s me, and the enterprise opens access to the various services I need.”