How to prepare for a world without passwords

Businesses are spending billions of dollars each year on cybersecurity solutions, but we’re still seeing a steady increase in security breaches. We hear about high-profile cases, but for every breach that makes headlines, there are countless others that are just as devastating for businesses at every stage of growth.

Why are we seeing this increase? The answer is simple — no matter how strong your security infrastructure, the vast majority of breaches today stem from the same culprit: Compromised login credentials. The password — the very tool that was designed to guard against cybercriminals — is fundamentally flawed because it relies on human behavior for its efficacy. 

There is good news, however. Recent industry developments show promise in addressing this “password problem” with a new type of login that can replace passwords — the weakest link in the cyber defense chain — with un-phishable and frictionless passkeys.

Cybersecurity has been an issue for a long time in tech — a constant concern over the last 30 years of my career at companies like IBM and HubSpot. This milestone is an opportunity to refocus on the basics of cybersecurity and address how the risk of not investing in this area will impact organizations, regardless of industry or stage of growth. Extending far beyond the dollar cost of a hack, a breach can lead to costly penalties, a tarnished brand, low employee morale, and possibly a damaged executive reputation.

The next wave of authentication technology is upon us. To prepare yourself and your workplace, here are three things to keep in mind.

Think passwordless today for passkeys tomorrow

As the CEO of a security company, I am a little more cognizant of password hygiene now than the average person — but I have to admit that I’ve fallen into bad behavior in the past.

Growing up in Louisiana as a huge football fan, I remember setting up my first password and wanting to pick “LSU.” Sadly, the service required at least six characters (shamefully too few, I now know), so I went with “ELESHU” instead. I don’t use that one anymore, but as humans, we’re still too often tempted by shortcuts that expose our companies and ourselves to security risks. As a result, hackers have identified this type of behavior as their most promising attack vector, and we’ve seen tremendous growth of phishing incidents to steal user credentials.

It should come as no surprise, then, that eliminating passwords has always been the goal. So what is a passkey, and why is it different? A passkey is a passwordless credential, where the website and the authenticator are communicating by exchanging keys. These cannot be seen or accessed by humans, removing all human-related risks of password usage.

You can’t accidentally leave a passkey lying around, and there’s no need to worry about generating unique passwords. Passkeys are based on public-key cryptography, and unlike passwords, they don’t rely on storing shared secrets on servers. Humans can type passwords anywhere (sometimes accidentally on a website like facebok.com instead of facebook.com), but passkeys can’t be phished — they are bound to the website they are set up for.

It’s hard to change human behavior, but we can change the way we approach authentication. Only a handful of websites currently support passkey-based authentication, but that doesn’t mean we need to wait around for adoption. Until passkeys become mainstream, you can experience the notion of passwordless authentication through biometrics, or via apps like Discord or Whatsapp using QR codes to allow cross-platform logins. 

Consumers’ behavior will fuel adoption at work

Next year marks the tenth anniversary of the FIDO Alliance, the industry group that’s been working on this problem. Their initial focus has clearly been on consumer applications, not business applications. That makes sense because our employees are consumers too, and their behavior as they shop and interact online will shape the way they interact at work.

In general, I think there has been a major shift in business software, including security software — the user experience has to be consumer-grade to drive adoption, and the expected broad availability of passkeys for sign-ins to various online services. So while the early evolution of passkey technology is geared toward consumer solutions, there is a rich supply of user problems that passkeys will address for businesses at any stage of growth.

On average, internet users are juggling more than 200 logins for various accounts — with that, it only takes one wrong click, one convincing phishing email or one reused password to disassemble an entire organization. The widespread shift to remote work only expanded the number of disparate applications and tools used by teams on a daily basis.

As our workplaces become more digitized and distributed, the surface area that we leave vulnerable to bad actors grows larger and larger. A phishing-resistant solution like passkeys addresses an obvious and urgent need, and the argument for a wide rollout of this technology has already been proven — Microsoft, Apple and Google have made their bets, all recently launching passkey solutions.

Don’t throw away your passwords yet

A majority of popular websites are planning to deploy passkeys toward the end of 2023, and early adopters like PayPal are already offering passkey support for payment. However, during the transition period between passwords and passkeys, websites (like Paypal) will support both. This hybrid phase is important, because the switch won’t happen overnight. Today, even diligent companies enforcing multi-factor authentication (MFA) are falling victim to disruptive attacks. Until passkey technology becomes ubiquitous, a combination of good password hygiene and MFA is still our safest bet.

During this phase, make sure your organization understands the reasoning behind a move from MFA and passwords (which might have always felt like a pain point) to passkeys — the most secure, easy to use, interoperable and trustworthy way for us to live and work online.

JD Sherman is an advisor and board member of Dashlane.