The BDN Opinion section operates independently and does not setnewsroompolicies or contribute to reporting or editing articles elsewhere in the newspaper or on bangordailynews.com.
Darren Guccione is CEO and co-founder of Keeper Security. He has served multiple Chicago mayoral administrations as a technology adviser, and he mentors aspiring entrepreneurs who focus on social impact and transformative technologies. He wrote this column for the Chicago Tribune.
Why would the CEO of a password management software company ever want to get rid of passwords? The answer is obvious.
Passwords litter our brains. They require an endless cycle of updates and have to follow complex rules that at times require a Ph.D. to comprehend. They even need an extra layer of security because they’re not strong enough on their own. Even worse, the pandemic magnified everything wrong with passwords across billions of new devices, which not only shifted to the cloud but also into our homes. In this environment, every application and every endpoint for every user needs — you guessed it — passwords.
If I could throw away passwords as we do with the trash, trust me, I would. Wouldn’t we all?
When you read the headlines, it may seem a new era is emerging. With the announcement of passkeys promising a tectonic digital shift to “passwordless” authentication, the world’s collective hope is mounting for an online experience that doesn’t involve 12-character strings of letters, numbers and symbols that are impossible to remember. From passkeys to biometrics, more efficient ways to access our online accounts are heralded as the answer to a passwordless future. The irony, though, is these authentication methods still need a backup. And that backup is? You guessed it — passwords.
Passwords protect the underlying systems that connect our modern world of networked devices. Currently, the world has more than 1.1 billion websites, along with billions of native applications, systems and databases that have all been structured for passwords, even when biometrics are used for convenience. Given the scope of this worldwide infrastructure, can you imagine pulling off a collaborative mass migration to a single, passwordless approach that could meet the underlying authentication and encryption requirements of every website, application and system?
I live in the gritty cybersecurity trenches every single day. I can tell you that the complexity of humans, machines and artificial intelligence-enabled systems make a ubiquitous passwordless future on the same level of difficulty as our quest to colonize Mars. We may get there eventually, but it hasn’t happened yet, it won’t happen tomorrow and it’s unlikely to happen for the foreseeable future.
As we eagerly wait to see if passwordless authentication methods one day become the standard, the first iteration will be more akin to charging your electric vehicle with a gas generator. Current passwordless solutions simply don’t provide a full end-to-end solution for identity and access management. In simple terms — systems need to make sure the right person, on the right machine, from the right location and at the right time, is authorized to access a website, application or system. The back end of any hardened system, to protect user data against cybertheft, still requires some level of password-based authentication with layered encryption keys.
The latest innovations in password technologies have come a long way. As of today, the progress — albeit slow — has been brilliant, noting that more will emerge. However, they will not comprehensively replace passwords anytime soon, if ever. We can remove the manual process of having to enter a string of numbers and letters to get access to whatever we need, but ditching them altogether isn’t yet possible. As of now, what we can and should do is provide innovative technologies that protect, organize and enable the coalescence of passwords, biometrics and passkeys in one ubiquitous system.
As an industry, we’ve made considerable strides to improve online security, but it’s up to you as an individual to protect your own online experience by creating strong, unique passwords for each account, storing them securely in an encrypted vault and enabling multifactor authentication — that second layer of security — whenever and wherever possible. This does not need to be a difficult task since a password manager will do all of this for you. In fact, a password manager not only protects your personal information and sensitive accounts but also simplifies the online experience by removing the need for you to create or remember passwords altogether. And yes, an effective password manager can even secure and enable your passkeys.
With billions of websites, systems, applications and devices that are still dependent on passwords (and their ability to initialize and execute authentication and encryption schemes), we will need to continue innovating for a passwordless future while, at the same time, transacting with passwords to avoid letting the “best” be the enemy of the “good.”