The fact that you are searching for ‘password alternatives’ tells me you’re an optimist, believing there must be freedom from the pain of passwords. You’ll be glad to know it’s not pure fantasy. We now have real, viable password alternatives that can finally set you, your customers and employees free from the security risks and hassles of credential-based logins.
In this article, I’ll tell you about password alternatives that haven’t worked and why. After you’re clear on what to avoid, I’ll introduce the best password alternative for secure authentication and explain how it works. You’ll step away ready to make the switch.
“Let’s start with security. Passwords can be easily stolen and used to take over customers’ accounts,” states Transmit Security co-founder Mickey Boodaei. “Account takeover is bad for customer experience and bad for business. There is also a liability and compliance aspect of managing a large database of passwords that can be stolen… This has a huge direct and indirect impact over the business and the brand.”
We also know it’s difficult for customers to manage and remember passwords. Getting locked out is a frustrating experience, and you have to decide if it’s worth going through a reset process. It’s no surprise 92% of us will abandon a purchase instead of recovering our credentials. Companies lose revenue, and some customers never come back.
We first started looking for password alternatives more than 20 years ago. Over time, we’ve come up with many methods for improving password security. But until recently, all of the ‘solutions’ failed to get rid of passwords, and in most cases, they made the customer experience worse. These are the password alternatives to avoid, and why they fail:
It’s all hackable! And the customer experience is only getting worse as we add passphrases, KBAs and OTPs. Is there a better password alternative? Yes, biometric authentication solves all of the problems above, and I’ll explain how. But first, there’s one last issue we must put to rest…
Password managers are targeted by hackers who are highly motivated. A treasure trove of credentials could be worth millions, so criminals work hard to find security gaps. Their efforts paid off in a recent Passwordstate breach when they inserted malware in a software update, much like the SolarWinds attack. Customers who downloaded the update exposed all of their passwords.
Passwordstate is not alone. Hackers have stolen credentials from password manager LastPass, which let them in with an open vulnerability. Researchers at University of California at Berkeley discovered security flaws in four other password managers: RoboForm, My1login, PasswordBox (now Intel Security), and NeedMyPassword.
We also know man-in-the-middle attacks and other advanced methods can intercept passwords in transit. This is not prevented by any password manager, and a single attack can be costly. So let’s be clear: password managers add a layer of security, but you’re still living with high-risk passwords.
Biometric authentication is ideal for verifying customers and employees because it confirms a user’s identity based on unique physical attributes. The easiest-to-use password alternatives are fingerprint and facial recognition. Millions of us already use biometrics to unlock our smartphones or laptops. It solves the problem of poor experiences and weak security with one swipe or glance.
During account registration, the authentication system will build an identity around the biometric. Facial recognition software maps 80 to 90 nodal points of facial features, even the angle of the jawline and eye depth. Fingerprint readers capture up to 30 minutiae, and no two individuals have more than eight minutiae in common.
After registration, logins are quick and simple, as easy as touching the fingerprint scanner or looking into the camera. If the image matches the biometric stored on the device, the account is unlocked instantly. The user experience is easy, fluid and inherently secure.
FIDO (Fast Identity Online) is an industry standard for passwordless authentication designed to secure biometrics with public key cryptography. Each device linked to an account is assigned a unique set of keys, one public key and one private key.
“With FIDO, the biometrics and the private key never leave the end user’s device,” explains Transmit Security VP of Product Niv Goldenberg. “The biometric is used to locally authenticate the user on the device. The private key then signs the challenge and passes it back to the server. The only thing that’s passed is the signed challenge.”
Since the biometrics and the private key are never shared, they cannot be intercepted by threats like man-in-the-middle attacks. FIDO2 also ensures there’s no central database of biometric identifiers for hackers to target. Read more on password replacement technology.
The tech ecosystem is ready with built-in fingerprint scanners and facial recognition software. Plus we keep our phones with us at all times. Demand will only grow. Analysts predict 1.3 billion devices will support biometrics by 2024.
Other password alternatives include voice verification, retina or iris recognition, palm vein identification and even heartbeat recognition. Most of these options require dedicated hardware, cost more and are reserved for high-security purposes. To learn more read our Identity Hub article on Biometric Authentication.
When you authenticate customers and employees with biometrics, it’s crucial to remove passwords from your account recovery process and your cache. It’s also important to eliminate OTPs and KBAs whenever possible. These challenges are solved by the Transmit Security CIAM platform, which includes our FIDO2-certified biometric authentication service.
Instead of weak 2FA placed on top of passwords, our passwordless service achieves strong multi-factor authentication (MFA) through the possession of a private key (something you have) and a biometric (something you are).
With our cloud-native CIAM services you can also solve complex implementation, management and usability challenges. Identities are portable across all devices, apps, domains and browsers, enabling smooth, consistent omni-channel experiences. We’ll help you transition customers to the best password alternative.