By Niresh Swamy, enterprise analyst, ManageEngine
Anyone who is familiar with the centuries-old fable “Ali Baba and the Forty Thieves” or the phrase “open sesame” is aware of the fact that passwords have been around since time immemorial. From the Romans, who used watchwords to identify warriors who were part of a military unit, to speakeasies, which could only be entered using code words, human civilisation has used passwords as the one constant utility to authenticate individuals throughout the years.
For all the technological advancements that the digital revolution has made possible, and for all the promises that the new age of authentication has made with biometrics, cryptographic keys, passkeys, and behavioral analytics, passwords still haven’t been dethroned and continue to remain the most reliable authentication mechanism. It’s important to question why.
But before that, let’s answer a much simpler question that the recent tech fad has convinced us to ignore.
Do you remember the last time you used your password to unlock your phone?
If you do, why did your biometric authentication fail?
Though it is now instinctive for us to unlock our mobile phones using the built-in fingerprint scanner or facial recognition feature, we still end up using our phone password frequently. This is because the new age of authentication, while conforming to our convenience, brings with it a considerable failure rate. A failure rate that is nonexistent in the case of passwords. NIST’s ideal miss rate for a biometric scan is 0.001%. Even the best biometric scanners on the market do not meet this standard yet.
In fact, when it comes to securing access to applications, biometrics serve no practical effect and simply act as a convenient facade. Passwords have remained the bedrock on which these new forms of authentication are founded. Whether biometrics, passkeys, or TOTPs, digital identities are linked to an old-school, single-form, text password.
That said, efficiency is not the only reason passwords have continued to remain the mainstay of the authentication realm. There are a few more complex reasons.
Familiarity breeds comfort
Many smartphone users prioritise convenience over security, overlooking the credibility that passwords as a practice have held to date. But contrary to this fact, this user base is not the kind to immediately adopt newer authentication methods either due to a lack of familiarity with the technologies.
A recent study indicates that only 25% of users believe that biometrics are a safer alternative. This tells us that, regardless of how much easier any new forms of authentication could make a person’s day-to-day login activity, the average user is wired to believe that passwords are the most secure form of authentication.
On the other hand, enterprise IT teams, owing to their need to meet compliance standards and IT priorities, tend to adopt the most secure software on the market and thus are more likely to try out newer technologies as they arrive. However, even for them, the latest authentication mechanisms aren’t entirely feasible to implement.
Here’s why.
Enterprises won’t eradicate passwords completely, at least not yet
Passwords on the enterprise scale are way easier to implement than the newer authentication mechanisms. A full-scale, password-based security strategy can be deployed across an enterprise of any size with zero additional hardware. Enterprise-grade hardware for fingerprint or facial recognition is expensive, and thus proves way tougher to scale without sapping the IT budget.
Apart from that, adopting new forms of authentication involves a complete shift from the status quo, requiring employees to internalize such a drastic change through training, which a lack thereof would lead to difficulties in its implementation. Large-scale enterprises still use mainframe applications to store decades worth of data simply because it would cost more to transfer them to a different domain than it would to maintain the applications. Similarly, a full-scale enterprise-wide migration from passwords to other forms of authentication poses the risk of a complete financial misfire, even in a best case scenario.
Besides, password-based authentication mechanisms, due to their long-standing presence, have the best tech support available, and almost all the problems that could arise when enterprise IT teams deal with passwords already have. Thus, passwords enable quick, remote resolution of support tickets.
That being said, it is safe to say passwords are here to stay. Owing to the familiarity and flexibility they provide, the usage of passwords will continue to be prominent amongst the newer authentication methods. While it is not likely that passwords will vanish from existence immediately, given that newer forms of authentication are still in their infancy, passwords will play a crucial role in assisting the consumer base with adopting up-and-coming authentication methods, serving as the familiar face linked to cutting-edge authentication methods, thus increasing their credibility and catalyzing the adoption process.