Passwords have been the de facto method for securing access to digital platforms for a great portion of the digital era. However, security experts now advise against them in favour of more robust authentication protocols, which might include the use of biometric tools and third-party password management applications instead.

In fact, some experts predict that passwords are in the process of being rendered obsolete.

“Most data breaches can be linked to weak passwords. Although passwords are not quite dead, they will disappear in the next 10 years, with some legacy systems still reliant on them,” said Joseph Carson, chief information security officer at Delinea, an access management solutions company, in a webinar last week.

“Biometrics are a better identifier. Although my thumbprint is not exactly a secret – in the way a password is – it is better at identifying me than a password is,” he said.

In the webinar, Carson addressed a few myths about passwords that diminish their efficacy as a digital system’s first line of defence against malicious attacks. These are:

Password complexity guarantees security: Complexity forces users to choose very standard ways of developing so-called “strong” passwords, which include “adding that special character which everyone knows is an exclamation mark at the end”.
Frequently changing passwords improves security: This gets users in the habit of slightly changing the same password. It also increases the likelihood that a user will have to change their password over an insecure network or in a public area where they can be spied on.
Storing passwords in the browser is secure: The security in the browser is usually not enabled, so if their main system is compromised, then the attacker gets access to the credentials for many other systems. Users must ensure they enable browser security.
Never changing passwords because two-factor authentication (2FA) is installed: Some users have not changed their passwords for years – or have never changed them at all, because they assume that 2FA will give them better protection, but attackers are finding ways around it.
Assuming insignificance: “Why would hackers want my data, I am a nobody,” people say, but attackers look at data from an opportunistic perspective. If they can hack an employee account, that might give them access to the rest of the business.

Biometrics such as facial recognition, fingerprint scans, iris scans and voice verification are leading the password-less revolution. But Dilenea research shows that multifactor authentication, one-time passwords, “magic links” and passkeys are also seeing increasing adoption rates among organisations.

Read: FNB backs down on password decision after backlash

Leading data security practices encourage organisations to move away from a password-management paradigm and adopt an identity management perspective instead. A key identity management principle is to align the level of privilege users have when accessing organisational resources with their functional requirements. This limits the likelihood that a security breach will occur, and more importantly restricts the potential scope of damage should security be compromised.

“In many organisations, users often have superuser or admin status without the need for it. If those credentials are compromised, hackers gain access to the entire system in one go,” said Carson.

For many organisations, identity management is strictly an internal matter relating to how and where employees can gain access to company resources. For those companies whose offerings includes the provision of digital services, the scope of their identity management duties extends to their customers as well. Retail banks are a typical example of this.

“We have been early adopters of passkeys and introduced logging in with fingerprint and face biometrics a year ago. We haven’t removed traditional Pin login totally from our app, and actually force a Pin login now and then to ensure customers remember their Pins. Ever since we have introduced login with biometrics (face and/or fingerprint), we have been tokenising [sensitive data] with keys,” said Yatin Narsai, CEO at Bank Zero.

Tokenisation is a way of protecting sensitive data by using a token to represent “real” information. A seemingly nonsensical string of numbers to represent a bank card is one example of a token. If the tokenised data is “stolen” in transit, the token will not be of any value to the attacker since it is meaningless in and of itself. The attacker also does not have the biometric information that authenticates the user to the tokenisation service, so they can’t get the token verified for use. They would not be able to “tap” or “swipe” the tokenised card to make payments.

TymeBank’s chief technology officer, Bruce Paveley, also attested to the growing significance of biometrics over traditional passwords. He said password managers are a great way for users to manage the myriad username and password combinations they need to remember for the many different sites and apps that they use. Examples of password managers include Dashlane and 1Password.

Novel solution

“Password management tools are a great solution to prevent people writing passwords down on paper, which they can’t protect from other people. They allow the person to store multiple passwords for multiple sites and applications securely. Ideally, a separate password should be used for each site or application accessed and you should never share passwords between multiple sites or applications. However, the device and access to the application must then be well controlled and have biometric verification to access the device and the password management application to ensure the person who set it up is the same person accessing it,” said Paveley.

Read: The most commonly used Internet passwords revealed

Passkeys, meanwhile, are a more novel solution to the multiple password problem. When a user registers on a website, they authenticate themselves biometrically and then give the site a copy of their public encryption key. The corresponding private key, which is the only key that can decrypt anything encrypted by the public key, is stored safely in the user’s on-device password manager.

The next time the user wants to login to the website, it challenges them by sending a random string encrypted using their public key. If the user sends it back unencrypted, then they are authenticated.

Like tokens, passkeys have the advantage that they are not useful to attackers should they be intercepted. Again, biometrics are used as 2FA to permit the user’s password manager to decrypt the incoming string and passwords need to be remembered.