The 7 technology trends that could replace passwords

Many of us have moved beyond passwords alone for online security, and it’s not hard to see why. Our new Specops Breached Password Report found that of one billion stolen credentials, almost a quarter met standard complexity requirements – and still the criminals broke through.

These stolen passwords – 230 million of them – met all the requirements of their organization, including more than eight characters, one capital letter, a special character and a number.

And there’s plenty more evidence of password vulnerabilities: Verizon’s Data Breach Investigations Report (DBIR) 2024 found that stolen credentials were the top action leading to a breach.

Alternatives to passwords

So it’s little wonder that new and evolving authentication methods have gained traction in recent years. But could they replace passwords altogether? We think the answer is a likely ‘no’. Passwords will remain a key security element for most orgniazations, with additional authentication methods used to enhance defenses.  

First, let’s look at some of the developing alternatives and technologies that could transform traditional approaches to passwords.

Biometric authentication

Biometric authentication uses a person’s physical attributes to confirm their identity: for example, fingerprints, facial recognition, iris scans etc. There are obvious advantages: fingerprints, for instance, are unique to an individual, so they can’t easily be mimicked or replicated.

The technology is also simple to use, avoiding the need to input data that could be easily forgotten.

But biometric authentication isn’t invulnerable. For example, biometric spoofing could exploit fake versions of a face or other biometric data to attempt to fool a system. Authentication systems that have no liveness checks can be particularly vulnerable to deepfake attacks.

And if the system is compromised, you can’t just reset biometric data, like you would a password.

Behavioral biometrics

Like biometric authentication, behavioral biometrics relies on characteristics that are unique to an individual. Except this time, it’s the way you interact with the application or website in question: for instance, how you move your mouse or type on the keyboard. 

There are obvious benefits – the user doesn’t have to do anything special, so it’s convenient to use. It also mitigates the danger of credential sharing, as you can’t easily share your typing rhythm.

But again, it can be costly to set up and there are potential concerns around data privacy in the event of a breach.

Blockchain for secure password storage

Blockchain could provide a highly secure method to secure data. As utilized in cryptocurrency, it provides an incorruptible method of distributing data across a decentralized network. However, there remain questions around the possible cost of storing passwords on blockchain ledgers like Bitcoin.

Zero-knowledge proof technology

ZKP proves the truthfulness of a mathematical statement, without revealing additional information ‘that may have been useful in finding said truthfulness’, as noted by NIST.

In passwords, this provides a secure way to let users prove that they know their own password, without any need to transmit their actual credentials – it is a cryptographic method that proves you know your password without needing to actually submit your credentials.

In other words, you can prove who you are without risking your data.

However, challenges could include the processing power required for ZKP and potential issues around complexity.

Passphrases

Another alternative to traditional passwords is the use of passphrases. Unlike standard passwords, which are often short and complex, passphrases consist of multiple words strung together, creating a longer but more memorable authentication method.

For example, a passphrase like “PurpleBananaSunsetDancer!” is easier to remember than a random string of letters and numbers, while still providing strong security due to its length.

Passphrases are particularly effective against brute-force attacks, as their extended length exponentially increases the number of possible combinations.

However, they still rely on user-generated input, meaning they can be vulnerable if common phrases or predictable word patterns are used. You can find a full guide on moving to passphrases here.

Passkeys

Passkeys are phishing-resistant alternatives to passwords that have been growing in popularity over the last couple of years. Based on FIDO2, passkeys use public key cryptography to authenticate users and log them into websites and apps. A passkey is typically tied to a device, such as a phone or computer, and can be unlocked using biometrics or a PIN.

Passkeys are resistant to credential stuffing and phishing attacks because the private key used for authentication is securely stored on users’ devices and never shared with websites or transmitted over the internet. As a result, there are no credentials that can be stolen in phishing attacks or data breaches.

Passkeys are now widely supported on all major platforms, including Google, Apple, and Microsoft. 

Security keys

Security keys are physical devices, usually USB, NFC, or Bluetooth, that are most commonly used for multi-factor authentication (MFA). After entering a password, users tap the security key or enter a PIN to verify their identity, which allows the user to log in to the site or application.

However, some platforms now use them for password-less logins where the owner uses a PIN or biometrics to prove that they are the owner and to allow logins. Support for password-less logins using security keys is currently available in Windows,

Security keys are resistant to attacks as they not only require access to the physical device but also the biometrics and PIN required to authenticate the login.

The enduring advantages of passwords

Many of these techniques have been available for some time, yet passwords remain the foundation of online security, used daily by consumers and businesses across the globe. Why is this? 

• Simple and universal: the concept has been established for decades and is easy for everyone to understand.
• Flexibility: you can easily reset your password. You can’t say the same thing for a facial scan or fingerprints.
• Effectiveness: passwords are either right or wrong. Even when biometric scanners fail or security tokens go missing, passwords remain a reliable backup authentication method.

The best of both worlds

The optimum approach isn’t to choose between passwords and some other form of security. Instead, we should embrace the advantages of new technologies, while retaining the convenience and security of passwords.

The solution is to opt for the best of both worlds by building multi-factor authentication, going beyond two-factor authentication to build in as many layers of security as possible. This could involve the use of a code texted to your phone alongside a facial scan and the use of a password.

Even here, vulnerabilities remain. MFA can be targeted through methods like prompt bombing or adversary-in-the-middle attacks, often based on exploiting a weak password.

They key is therefore to ensure your passwords are as robust as possible, no matter what technology you use to enhance your security.

Specops Secure Access: Secure password reset with integrated multi-factor authentication, reducing the risk of unauthorized access

Scan your Active Directory for compromised passwords

Authentication technologies will continue to advance, but you’ll always need to stay on top of your passwords.

Specops Password Policy integrates with your Active Directory to continuously block a growing database of more than 4 billion compromised passwords, while preventing users from creating weak passwords and scanning for passwords that have been compromised or breached.

Contact us today for your free trial.

Sponsored and written by Specops Software.