Future of Passwords

May 11, 2022

Effective passwords are

  • Changed often
  • Long and made from uncommon letter combinations
  • Unique to each site
  • Not stored in an accessible way

Unfortunately, each of these requirements makes passwords a terrible human-centric authentication mechanism. But how else would we authenticate people?

2-factor authentication (2FA, or multi, MFA) addresses the problem where an attacker finds a leaked password. It does this by adding another factor to authentication: (1) something you know "the password," and (2) something you have "a device." For example, another factor would be (3) something you are "a biometric finger or iris scan."

Time-based one-time passwords (TOTP) add a temporal security element. These codes (often sent over email or SMS) are only valid for a short time. This time-lock limits the blast radius to leaked or reused authentication credentials.

FIDO (fast-identification online) is a standard that hopes to unify approaches to hardware-based authentication. YubiKeys implement FIDO and can provide passwordless authentication or more secure 2FA. FIDO has two interesting properties: (1) it is phishing resistant, and (2) it is often hardware-based, which makes it resistant to key extraction.

There are numerous startups (e.g., Stytch) that provide passwordless logins.  These logins often contain time-based codes but are only as secure as the medium they are sent over (e.g., SMS or e-mail). Other startups replace passwords with public-key infrastructures, such as an ECDSA key (e.g., login.xyz). See my primer on Elliptic Curve Cryptography for how that works.

Startups pitch investors on going passwordless because it can sometimes increase their customers' conversions, decrease unsuccessful sign-ins, and provide a quicker user experience.