February 1, 2025 was national change Your Password day. Which brings up the question, do we still need passwords? With biometrics and MFA, maybe it’s time to ditch passwords altogether. Since car makers can create ignition systems that not start without the correct fob, then why not use available tech to replace passwords. It would mean less time for IT to spend troubleshooting issues and would stop password refreshes every 90 days!

Are we ready to abandon passwords?

#IAmIntel

5 Spice ups

On topic: No. I’m currently playing chicken with my work’s IAM system. I still have 8 days until I’m locked out. (Timing is coincidental, we’re not forced to reset our passwords on this day.)

Tangential to the topic: I like the idea of a passwordless existence but I don’t think it’ll create any less work if we move to it. System complexity will rise. Biometric sensors will break/become faulty. The average member of staff can’t be trusted to take proper care of a fob and fido key. Passwords are cheaper than physical keys, so no an incentive to businesses. And, if tech media is to be trust, encryption linked to TPM chips isn’t as robust as we’re told, along with UEFI now being successfully targeted with malware by bad actors. I think we’re more likely see additional steps bolted on to the authentication process, rather than passwords disappearing. With the rise of AI being able to convincingly clone human voice and likeness, I predict the barrier to authenticate will rise, rather than fall. I think it’d be better if we worked towards outlawing weak password/passphrase length and single factor auth in general. Then enforce password manager usage and tighten up usage of SMS/voice/fingerprint for dual factor auth. Obviously, this targets service providers/vendors/employers, not individual users. Failure to comply will cost XX% of yearly revenue after tax. It won’t be perfect, as anything stored in software will be compromised eventually, but making the effort, time and cost nearer to what nation state backed APTs will spend, rather than lower level scammers and hacking groups, would be a start.

4 Spice ups

issue all users yubikeys as a primary authentication method

then wait 90 days and find out that 2/3 of users lost the key

I think the technology available could in theory replace passwords one day. however you can never account for user error, and that is the problem.

2 Spice ups

No. I still use 1234 - it’s the same for my luggage!

4 Spice ups

It’s clear passwordless is the future, but it just isn’t possible on all our platforms yet. We agree with NIST’s standards saying passwords should never be required to be reset unless a suspected breach has occured. I dont believe in forcing password resets on the regular as people end up using less secure passwords that they are able to remember.

1 Spice up

Biometrics are something you are which you can easily be compelled to provide (lawfully or unlawfully).

MFA and Passkeys are also in this category (you can be easily compelled to give up) since they are something you have.

Passwords are something you know. As such, you cannot easily be compelled to provide them.

So, to answer you question, I don’t think that passwords are going anywhere, because they still provide something that the other methods cannot.

1 Spice up

You’re missing Something you Have. In general Something you are + Something you have is preferred over using something you know. As your memory is limited and it becomes a more simple/patternized password that can be guessed.

I agree with the idea that we’re heading towards a password less future. With biometrics and other options gaining acceptance, I think we’ll have better security choices soon!

#IAmIntel

2 Spice ups

wait…what was this thread about again?

2 Spice ups