Password Alternatives

The fact that you are searching for ‘password alternatives’ tells me you’re an optimist, believing there must be freedom from the pain of passwords. You’ll be glad to know it’s not pure fantasy. We now have real, viable password alternatives that can finally set you, your customers and employees free from the security risks and hassles of credential-based logins. 

In this article, I’ll tell you about password alternatives that haven’t worked and why. After you’re clear on what to avoid, I’ll introduce the best password alternative for secure authentication and explain how it works. You’ll step away ready to make the switch. 

Why are passwords bad? 

“Let’s start with security. Passwords can be easily stolen and used to take over customers’ accounts,” states Transmit Security co-founder Mickey Boodaei. “Account takeover is bad for customer experience and bad for business. There is also a liability and compliance aspect of managing a large database of passwords that can be stolen… This has a huge direct and indirect impact over the business and the brand.”

We also know it’s difficult for customers to manage and remember passwords. Getting locked out is a frustrating experience, and you have to decide if it’s worth going through a reset process. It’s no surprise 92% of us will abandon a purchase instead of recovering our credentials. Companies lose revenue, and some customers never come back.

Can we do away with passwords?

We first started looking for password alternatives more than 20 years ago. Over time, we’ve come up with many methods for improving password security. But until recently, all of the ‘solutions’ failed to get rid of passwords, and in most cases, they made the customer experience worse. These are the password alternatives to avoid, and why they fail:

1. Passphrases 
   The concept: hackers have proven they can take over accounts by trying common passwords, like ‘123456,’ the most popular password in 2020. A quick fix is to replace passwords with passphrases, a collection of random words in a nonsensical phrase, making it difficult for hackers to guess or brute force. 
   
   The problems: passphrases can be intercepted by hackers and do nothing to prevent phishing, which collects your login credentials by tricking you with deceptive emails and websites. It doesn’t matter how complex a passphrase is. In 2020, 74% of companies fell prey to phishing according to a survey by Ivanti.
   
   It’s also a poor experience when customers are expected to remember complex passphrases (and change them regularly) for dozens of accounts. As we’ve already mentioned, it’s easy to forget and lockouts are a hassle.

2. Knowledge-based questions (KBAs) 
   The concept: open-ended questions are designed to prove the identity of someone accessing an account or recovering credentials. It’s a simple form of two-factor authentication (2FA) added on top of passwords. In most cases, KBAs are based on a pre-agreed set of questions and answers.
   
   The problems: most KBAs can be answered by anyone who looks at your social media pages. Answers to, “What’s the name of your childhood best friend?” or “Where did you meet your spouse?” could be easily found on the Internet.
   
   Ironically, some of us forget how we first answered our own questions. I’ve had to ask myself, “Did I use my best friend’s nickname, her maiden name or her married name?” It creates yet another bad experience.
3. One-time passcodes (OTPs)  
   The concept: OTPs sent via SMS texts, push messages or emails are another form of authentication that can be used as a single factor or 2FA added on top of passwords. The OTP authenticates the user’s identity by sending a code to the registered phone number or email address, a way of proving possession. 
   
   The problems: OTPs can be intercepted by man-in-the-middle or SIM swap attacks. They do offer more protection against phishing attacks than passphrases and KBAs, but they are not impervious to sophisticated hacks.

4. Security tokens
   The concept: security keys, smart cards or PINs are small hardware devices used to gain access to workstations or restricted resources. Some tokens store cryptographic keys that generate a digital signature or biometric data. Some may also store passwords.
   
   The problems: hardware tokens are costly to provision, lack scalability and are easy to lose. These password alternatives were designed many years ago for the workforce, not consumers who want to access your digital properties.

5. Social logins
   The concept: social sign-ins (e.g. Facebook Login, Google Sign-In and similar options from LinkedIn, Microsoft and Apple) leverage existing accounts to simplify registrations and logins on third-party apps and platforms. The idea is to provide a convenient alternative to mandatory account creation. 
   
   The problems: social logins are still built on top of passwords. Hackers that target Facebook, LinkedIn and other accounts, can expose millions of user credentials at a time. If a social site experiences data theft, those who’ve reused the same passwords will likely have multiple compromised accounts. 
   
   In addition, social logins are notorious for data collection and sharing practices. These apps can track user activity and target you with advertising based on your clicks. It’s a conflict of interest to offer authentication ‘security’ while compromising your privacy. 

6. Authenticator apps
   The concept: authenticator apps generate six-digit OTPs that refresh every 30 seconds. Once you enter the time-limited OTP in the app or site, you’re in. If a hacker manages to get your OTP, it will only work for a 30-second time limit. 
   
   The problems:  criminals use SMS vulnerabilities to reroute text messages and expose OTPs. In 2020, security experts discovered that Google Authenticator on Android devices was vulnerable to a trojan known as Cerberus. It enabled hackers to steal OTPs and access bank accounts. 
   
   There’s also the issue that authenticator apps are linked to passwords and email verification codes, which are vulnerable to phishing. If a hacker steals those credentials, he can use your authenticator account as if it’s his own. 

It’s all hackable! And the customer experience is only getting worse as we add passphrases, KBAs and OTPs. Is there a better password alternative? Yes, biometric authentication solves all of the problems above, and I’ll explain how. But first, there’s one last issue we must put to rest…

Why shouldn’t you use a password manager?

Password managers are targeted by hackers who are highly motivated. A treasure trove of credentials could be worth millions, so criminals work hard to find security gaps. Their efforts paid off in a recent Passwordstate breach when they inserted malware in a software update, much like the SolarWinds attack. Customers who downloaded the update exposed all of their passwords.

Password manager vulnerabilities

Passwordstate is not alone. Hackers have stolen credentials from password manager LastPass, which let them in with an open vulnerability. Researchers at University of California at Berkeley discovered security flaws in four other password managers: RoboForm, My1login, PasswordBox (now Intel Security), and NeedMyPassword.

We also know man-in-the-middle attacks and other advanced methods can intercept passwords in transit. This is not prevented by any password manager, and a single attack can be costly. So let’s be clear: password managers add a layer of security, but you’re still living with high-risk passwords.

What works better than a password?

Biometric authentication is ideal for verifying customers and employees because it confirms a user’s identity based on unique physical attributes. The easiest-to-use password alternatives are fingerprint and facial recognition. Millions of us already use biometrics to unlock our smartphones or laptops. It solves the problem of poor experiences and weak security with one swipe or glance.

How do biometrics work?

During account registration, the authentication system will build an identity around the biometric. Facial recognition software maps 80 to 90 nodal points of facial features, even the angle of the jawline and eye depth. Fingerprint readers capture up to 30 minutiae, and no two individuals have more than eight minutiae in common.

After registration, logins are quick and simple, as easy as touching the fingerprint scanner or looking into the camera. If the image matches the biometric stored on the device, the account is unlocked instantly. The user experience is easy, fluid and inherently secure.

FIDO2 strengthens password replacements

FIDO (Fast Identity Online) is an industry standard for passwordless authentication designed to secure biometrics with public key cryptography. Each device linked to an account is assigned a unique set of keys, one public key and one private key.

“With FIDO, the biometrics and the private key never leave the end user’s device,” explains Transmit Security VP of Product Niv Goldenberg. “The biometric is used to locally authenticate the user on the device. The private key then signs the challenge and passes it back to the server. The only thing that’s passed is the signed challenge.” 

Since the biometrics and the private key are never shared, they cannot be intercepted by threats like man-in-the-middle attacks. FIDO2 also ensures there’s no central database of biometric identifiers for hackers to target. Read more on password replacement technology.

Why fingerprint or face ID vs. other biometrics?

The tech ecosystem is ready with built-in fingerprint scanners and facial recognition software. Plus we keep our phones with us at all times. Demand will only grow. Analysts predict 1.3 billion devices will support biometrics by 2024​.

Other password alternatives include voice verification, retina or iris recognition, palm vein identification and even heartbeat recognition. Most of these options require dedicated hardware, cost more and are reserved for high-security purposes. To learn more read our Identity Hub article on Biometric Authentication. 

Replace passwords now and use password alternatives

When you authenticate customers and employees with biometrics, it’s crucial to remove passwords from your account recovery process and your cache. It’s also important to eliminate OTPs and KBAs whenever possible. These challenges are solved by the Transmit Security CIAM platform, which includes our FIDO2-certified biometric authentication service. 

Instead of weak 2FA placed on top of passwords,  our passwordless service achieves strong multi-factor authentication (MFA) through the possession of a private key (something you have) and a biometric (something you are). 

With our cloud-native CIAM services you can also solve complex implementation, management and usability challenges. Identities are portable across all devices, apps, domains and browsers, enabling smooth, consistent omni-channel experiences. We’ll help you transition customers to the best password alternative.