Managing your online passwords can be a chore.
Creating the sort of long, complicated passwords that best deter cyber-thieves — especially for dozens of different online accounts — can be tedious. But it’s necessary, considering the record number of data breaches in the U.S. last year.
That’s why it’s so enticing to dream about a future where nobody has to constantly update and change online passwords to stay ahead of hackers and keep data secure. Here’s the good news: Some of the biggest names in tech are already saying that the dream of a password-less internet is close to becoming a reality. Apple, Google and Microsoft are among those trying to pave the way.
In that hopeful future, you’d still have to prove your identity to access your accounts and information. But at least you wouldn’t have to remember endless strings of unique eight-character (or longer) passwords, right?
Well, maybe not quite. The answer is still a little complicated.
What password-less options already exist?
In theory, removing passwords from your cybersecurity equation nixes what former Secretary of Homeland Security Michael Chertoff has called “by far the weakest link in cybersecurity.” More than 80% of data breaches are a result of weak or compromised passwords, according to Verizon.
In September, Microsoft announced that its users could go fully password-less to access services like Windows, Xbox, and Microsoft 365. Microsoft users can instead use options like the Windows Hello or Microsoft Authenticator apps, which use fingerprints or facial recognition tools to help you log in securely.
Microsoft also allows users to log in using a verification code sent to your phone or email, or with physical a security key — resembling a USB drive — that plugs into your computer and features an encryption unique to you and your device.
Joy Chik, Microsoft’s vice president of identity, wrote in a September company blog post that tools like two-factor authentication have helped improve users’ account security in recent years — but hackers can still find ways around those extra measures. “As long as passwords are still part of the equation, they’re vulnerable,” she wrote.
Similarly, Google sells physical security keys, and its Smart Lock app allows you to tap a button on your Android or iOS device to log into your Google account on the web. In May 2021, the company said these tools were part of Google’s work toward “creating a future where one day you won’t need a password at all.”
Apple’s devices have used Touch ID and Face ID features for several years. The company is also developing its Passkeys feature to allow you to use those same fingerprint or facial recognition tools to create password-less logins for apps and accounts on your iOS devices.
So, in a sense, a password-less future is already here: Microsoft says “nearly 100%” of the company’s employees use password-less options to log into their corporate accounts. But getting every company to offer password-less options to employees and customers will surely take some time – and it might be a while before everyone feels secure enough to dump passwords in favor of something new.
That’s not the only problem, either.
How secure are they?
Doing away with passwords altogether is not without risks.
First, verification codes sent via email or text message can be intercepted by hackers. Even scarier: Hackers have shown the ability to trick fingerprint and facial recognition systems, sometimes by stealing your biometric data. As annoying as changing your password might be, it’s much harder to change your face or fingerprints.
Second, some of today’s password-less options still ask you to create a PIN or security questions to back up your account. That’s not much different from having a password. In other words, tech companies haven’t yet perfected the technology.
And third, there’s an issue of widespread adoption. As Wired pointed out last year, most password-less features require you to own a smartphone or some other type of fairly new device. And while the vast majority of Americans do own a smartphone, those devices range dramatically in terms of age and internal hardware.
Plus, tech companies still need to make online accounts accessible across multiple platforms, not just on smartphones — and also to the people who don’t own smartphones at all, roughly 15% of the U.S.
In other words, it will likely still be some time before passwords are completely extinct. Enjoy typing your long, complex strings of characters into login boxes while you can.
Sign up now: Get smarter about your money and career with our weekly newsletter
If your passwords are less than 8 characters long, change them immediately, a new study says
These are the 20 most common passwords leaked on the dark web — make sure none of them are yours