We Want Less Passwords, Not Passwordless


Session Details

While “passwordless” is a great marketing phrase, it’s an unrealistic, and potentially dangerous, goal for our industry. If you ask “what if” enough times (… I lost my phone, my fingers are burnt, I have larginits, etc.?) you will eventually need “something that you know”, i.e., a personal identification number (PIN) or a passphrase. In this talk, I will demonstrate why biometric authentication is not the end all be all that some people think it is and why “something you know” as a final factor is here to stay. Gun to your head, would you rather give the attacker your password or take the bullet? To back this claim, I will recap the history of authentication research, concluding with FIDO and other “passwordless” solutions.
We start with the humble password and deep dive into the various technologies that have surfaced since: smartcards, one-time-passwords, push-based multi-factor authentication (MFA), SMS codes, hardware tokens, and smartphones. Finally, I will argue that what we should be striving for is not to eradicate the password (i.e., passwordless), but to simply reduce the number of passwords that a given user has and to link these few passwords to hardware tokens, like smartphones.