Is this the end of the password era?

The pesky password: so many to remember and so complicated to create unique, strong ones for each account. So hard to manage. And most importantly, so not secure.

According to research by password manager provider NordPass, the top 20 passwords used in Canada can be cracked in one second, and globally, 123456 is still the most commonly used password!

So, what’s the alternative? Welcome to the new world of passwordless authentication, where traditional passwords are quickly becoming a thing of the past. Simple and more secure, passwordless authentication is quickly becoming the de facto standard for logging in.

What is it?

Passwordless authentication, as the name implies, transforms how we access our accounts by eliminating traditional passwords entirely. Instead of memorizing complex combinations of letters, numbers and symbols, users can choose from several sophisticated authentication methods that prioritize both security and convenience. There are several passwordless authentication methods currently in use including:

• Biometrics: authentication through physical traits including fingerprints, retina scans or facial recognition. For example, unlocking your smartphone using your fingerprint or face recognition.
• One-time passwords: temporary passcodes sent to a device that are used to gain access. An everyday example is receiving a 6-digit code via text message to log into your email account.
• Passkeys: pairing that matches a key residing on a device with a key stored on the account. In practice, this could be logging into a website on your laptop by scanning a QR code with your phone.
• Digital certificates: a file or electronic password that validates the authenticity of a device, server or user using cryptography and public key infrastructure. A common use is securely accessing your company's network through a Virtual Private Network (VPN).
• Magic links: a one-time use URL that you receive by email or text, which automatically verifies you when you click on it. For instance, accessing your food delivery app by tapping a link in a text message.

Why is passwordless better?

Passwords have long been the weak link in the security chain. Most people lack the password hygiene needed to keep themselves optimally secure. They rely on passwords that are not strong enough (easy to guess), reuse passwords on multiple sites and overlook safe storage.

Poor password hygiene leaves people susceptible to having their accounts compromised through phishing, brute force attacks, man-in-the-middle attacks and credential stuffing. Password vulnerabilities have been the cause and target of many of the biggest breaches including the recent RockYou2024, where approximately 10 billion passwords were leaked.

According to research by Ping Identity, a leading provider of seamless and secure digital experiences, security (78%), ease of use (76%) and privacy/consent (69%) are top concerns for consumers when interacting with online brands.

Passwordless authentication makes logging into services and accounts more convenient and more secure. Phishing isn’t possible because users can’t be tricked into entering details on a copycat page. And brute force attacks have been neutralized because passwords leaked in data breaches are no longer a way into people’s sensitive information.

You’re probably already using passwordless

Passwordless authentication isn’t fully mainstream yet, but it’s definitely gained popularity in the past three years. Passkeys specifically have grabbed the spotlight on the security stage since Apple, Google and Microsoft adopted the sign in method across all their mobile, desktop and browser platforms.

According to The Associated Press, a passkey is made up of two parts of a code that only make sense when they are combined, like a digital key and padlock. Half of the encrypted code gets stored on your smartphone or computer. The apps, services or accounts you’re using the passkey with store the other half. You then log in using your face, a fingerprint or a PIN (think about how you access your phone).

Passkeys only work with the websites they were created for, eliminating one of the biggest risks associated with traditional passwords, specifically reusing one password across multiple log-ins.

In fact, 20% of the world’s top 100 websites now accept passkeys. Apple introduced them to macOS and iOS in 2022. Google followed suit in 2023. And PayPal, Amazon, Microsoft, eBay and many others weren’t far behind.

Simple and secure

That’s the future of logging in. We want our accounts and services to be secure without the hassle of remembering complex passwords, resetting passwords when we can’t remember them and worrying about hackers getting access to our personal information with stolen passwords.

Passwordless authentication offers a solution to these challenges. It is easier, more convenient, and more secure than traditional methods. Considering that the bulk of websites you visit and services you use likely offer some form of passwordless authentication, it's time to start adopting it. If it isn't available yet on certain sites, keep up with your password hygiene and use additional layers of security like multi-factor authentication. Passwordless authentication gives you more options, power, and control over how you secure your online identity and personal information.

While we transition to a password-free future, it's crucial to keep your current accounts safe. For more information on protecting your devices and accounts, check out this video on setting strong PINs or passwords and the benefits of using a password manager. These practices will help safeguard your digital life today as we move towards a more secure, passwordless tomorrow.