Companies would be better off forgoing passwords when attempting to verify a user's identity, experts say, but business processes must be built out to support new types of authenticators.
"We have a strong promise with our current set of technologies to push the envelope to where passwords become irrelevant," said Lovlesh Chhabra, vice president of identity platforms for New York-based Oath. "Passwords have to go in their current shape and form."
Stronger methods than passwords for verifying a user's identity are here to stay, Chhabra said during a keynote panel Monday at Ping Identity's Identiverse event in Boston. Passwords are unlikely to die off entirely though, Chhabra said, and may stick around as a fallback to two-factor authentication.
The industry is getting very close to a lot of big pieces falling into place for a post-password future, according to Brad Hill, engineering lead at Menlo Park, Calif.-based Facebook. Specifically, Hill said near-field communication (NFC) technology is something most people have been acquainted with from swiping to get onto a bus or into a building, and can be deployed at scale very cheaply.
"It's just a familiar technology that is used around the world at a very low price point, and we're this close to having it reach into most devices people use on a day-to-day basis," Hill said during the panel. "Once the last couple of pieces are put into place, the opportunity for big disruptions is going to be really huge and might happen really quickly."
Although passwords are poor authenticators, they benefit from being both easy as well as the default, according to Dean Saxe, security engineer at Seattle-based Amazon. As a result, Saxe expects getting rid of passwords will be a very long process.
Organizations should start by eliminating passwords for the most security-conscious applications in verticals such as banking, financial services and health care, Saxe said, and work backwards from there. Once users become used to having their identity verified through a mechanism other than passwords, Saxe believes the adjustment will become much easier.
Users have grown accustomed to a system where their email address serves as their user ID and can be used for recovery purposes in the event of a forgotten password, according to Facebook's Hill. Therefore, Hill said, disrupting the password will disrupt both legacy technologies as well as the entire way security professionals think about identity verification systems.
Specifically, Hill said businesses need to think about how they can rebuild support services at the end of the ecosystem such as account recovery in a world without passwords. Hill said work has been occurring around open standards for bi-directional anonymous strong recovery in the event that both a device has been lost and an email address is no longer being used as the user ID.
"The password is just sort of the first bad habit to break, and it's going to make us think about everything else that we're doing," Hill said.
Business processes need to change and support new types of authenticators, according to Amazon's Saxe. Specifically, organizations must figure out how to build a group of trusted referees in a workable, scalable model in a world where someone might lose a physical authenticator.
One option would be to force users to remain offline if they've lost or broken all their authenticators and are working remotely, Saxe said. Although this is a stellar option from a risk standpoint, Saxe said it would be a tough pill for many companies to swallow in practice.
The industry should look toward standards to create compelling value around eliminating passwords for both businesses and users, according to Oath's Chhabra. Consumers are more likely to opt into a service that can manage access for Facebook, Google, Yahoo and other accounts from the same place, Chhabra said.
Conversely, Chhabra said a standalone service created by a single vendor is unlikely to be compatible with the products that other people are offering.
"We have to break that shell," Chhabra said. "We have to get people to adapt."
Ultimately, passwords are no longer bound in security, according to John Fontana, standards and solutions analyst for Palo Alto, Calif.-based Yubico. Instead, Fontana anticipates they'll most typically be used to signal when a person is looking to access a website, with another credential like crypto actually used to verify identities.
"We're just ready to cross that line," Fontana said. "It's going to take some time and some patience, but it just feels like we're going to get there this time and solve this problem."