Is it Time to Go Passwordless?

For years, having long and complex passwords has been ingrained in us as a requirement, so it may seem strange to consider eliminating passwords altogether. But you should, and here is why: Passwords are vulnerable.

Passwords are vulnerable first because humans are easy to trick. Imagine that you receive an email from a customer. The email supposedly contains tax documents that you asked for in a previous email. When you try to open the document, you encounter a message stating that your network session has timed out and that you need to enter your username and password again. Because you have been conditioned by Microsoft to occasionally reauthenticate, you do what the message asks, but after you enter your credentials, you receive a strange error message, and the document does not open. Unbeknownst to you, the message was from a criminal, and you just provided your credentials to them. The fake document also ran malware that stole the M365 MFA token from your browser. This means that the criminal now can put that token on their computer and log in as you with your username and password, gaining access to everything you have access to through your M365 account. You have been breached.

The scenario above is very common these days. Now imagine the same scenario if you didn’t have a password. You would get the email and open the document but would be confused when asked to enter your password because you do not have one. You would call IT, who would investigate and discover that the document contained malware. But you are OK because you never provided a password. You just avoided a breach.

Passwords are also vulnerable because employees often reuse their corporate passwords on multiple sites, and if one site gets breached, a criminal will try the password on other sites until they are successful in logging in. Another vulnerability is when employees choose passwords that are too simple, and criminals can guess or crack the password. If there is no password, this type of attack is impossible.

Finally, passwords are vulnerable because they need to be changed periodically. Many newer attack methods use the password change process to trick a system or a help desk person into resetting a password to one that the attacker knows. If there are no passwords, there are no password changes.

Besides passwords being vulnerable, they are also inefficient and, let's face it, hated by users. Having to change a complex, long password regularly results in users forgetting passwords and having to spend time working with IT. Institutions can use the cost savings from this to help offset the cost of implementing passwordless authentication.

So how does going passwordless work? It relies on a strong MFA system that requires human interaction. Let’s use Yubikeys as an example. A “Yubikey” is a device that the user inserts into the USB port of a computer, tablet, or phone. When you first set up your account, you link your account to the Yubikey and choose a 4-character PIN (similar to an ATM PIN).

To log in, you only need to touch the Yubikey, and a prompt will appear on the screen asking you for your 4-digit PIN. Once you enter the correct PIN, the Yubikey sends a code to the system, which identifies the Yubikey plus includes an “authenticator code,” which is like a code generated by an authenticator app on your phone (the number is actually 32 characters long). Like an authenticator app, the code is different every time you use it. Because you physically need to touch the Yubikey, a hacker could not activate it remotely. If a hacker somehow stole a physical Yubikey, they would also need to know the PIN to unlock it.

So how is using a Yubikey without a password considered MFA? MFA is defined as providing two or more of three possible factors: something you are, something you know, something you have.  ​A non-biometric Yubikey satisfies “something you have” (the Yubikey) and “something you know” (the PIN). There are also Yubikey devices that support biometrics, which adds a third factor (“something you are”).

A Yubikey is just one type of device that supports passwordless authentication, and it is ideal for situations where a user has a PC, laptop, and phone, as the same Yubikey can be used with all devices. For users (like tellers) with less complex needs, using Windows Hello-compatible computers can have similar results without needing to buy devices like Yubikeys.

Moving away from passwords is a major step toward stronger security, but it can feel overwhelming without the right guidance. At Bedel Security, we work alongside banks and credit unions to design practical, secure authentication strategies that fit their needs. If you’re exploring passwordless solutions or simply want to learn more, we’re happy to be a resource. Let’s start the conversation.