GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

By Thierry Gagnon

Accessing vital information to complete day-to-day tasks at our jobs still requires using a password-based system at most companies.

Related: Satya Nadella calls for facial recognition regulations

Historically, this relationship has been effective from both the user experience and host perspectives; passwords unlocked a world of possibilities, acted as an effective security measure, and were simple to remember. That all changed rather quickly.

Today, bad actors are ruthlessly skilled at cracking passwords – whether through phishing attacks, social engineering, brute force, or buying them on the dark web. In fact, according to Verizon’s most recent data breach report, approximately 80 percent of all breaches are caused by phishing and stolen credentials. Not only are passwords vulnerable to brute force attacks, but they can also be easily forgotten and reused across multiple accounts.

They are simply not good enough. The sudden inadequacy of passwords has prompted broad changes to how companies must create, store, and manage them. The problem is these changes have made the user experience more convoluted and complicated. In other words, we’ve lost the balance between ease-of-use and adequate security under the increasingly antiquated system of password-based access.

Under the current system, companies have two choices: subject employees to burdensome processes to access work servers or become low-hanging fruit for a cyber attack.

By choosing the former – which most companies do as a shortcut to compensate for weak passwords without having to adopt new and innovative solutions – end users must comply with unintuitive experiences such as creating complicated passwords and dealing with complex password reset procedures. I would say companies that take this shortcut are still low-hanging fruit on top of inconveniencing their employees.

Combining IDs, keys

What is the solution, then? The next big thing is passwordless authentication. Let’s remove that point of attack and start fixing the problem at the source. Many organizations have already begun to jump to passwordless, but adoption is slow, and solutions are still in their infancy.


On the consumer side, we see solutions that work now and are incredibly easy to use. For example, we have passwordless facial and fingerprint biometric logins on our mobile phones and the thousands of apps that we use, as well as on our laptops and similar portable devices. However, no clear passwordless solutions offer easy adoption, enterprise-grade security, and interoperability to our large corporations and critical organizations.

Security remains one of the significant issues that need to be addressed on the enterprise level. Solutions need to tackle this problem by establishing trust at the user level to the point that trust is unnecessary. That sounds counterintuitive, but that is what we need to protect organizations from the relentless attacks we are seeing.

A solution that combines biometric identification with device-bound cryptographic keys and interoperable global validation standards.By combining who the user is (through biometrics) with something they know (the cryptographic key), solutions can establish user identity with sufficient confidence at the enterprise level.

Some solutions do this today. However, security and interoperability remain an issue. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users. This leaves the door open to phishing and man-in-the-middle attacks.

New standards needed

Alternatively, some organizations are adopting physical security measures to keep private keys secure and offline. However, these solutions are often criticized for their lack of ease of use, limited interoperability across organizations, and lack of support.

We must keep thinking ahead on security. Attackers will continue to find ways to breach our systems, and authentication cryptography will become increasingly vulnerable to attack. Finding new methods of validation that are resistant to quantum and AI attacks is critical. Our job is to create and implement better systems.

The bottom line is user authentication is vital for securing access to data and systems. To establish trust with the user, the future of secure authentication lies in new passwordless solutions. Emerging technology and innovation in cryptography, biometrics, and device-linked authentication will also be crucial for advancing authentication.

Furthermore, driving authentication forward in our digital ecosystem can be achieved by developing new standards, collaborating with industry peers, and raising awareness. For a system to be introduced and adopted at scale, ease of use is crucial, and security must be uncompromising. The time has come for passwordless systems that seamlessly integrate into businesses without significant user experience disruptions and provide a simple, intuitive, yet secure experience for all.

About the essayist: Thierry Gagnon is Co-Founder and Chief Technology Officer (CTO) at Kelvin Zeroa start-up redefining the way organizations interact with their users in a secure digital world. Kelvin Zero is enabling highly regulated enterprises to secure authentication and know who is on the other side of every transaction.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone