Everyone wants to replace passwords — what about banning them?

In the world of cybersecurity, stopping the adversary often means that businesses must first stop their own people from doing dumb stuff. Especially when it comes to passwords and clicking on suspicious emails.

Compromised passwords are responsible for a stunning 81% of hacking-related breaches, Verizon has reported. And yet, weak passwords and successful phishing attacks continue to proliferate.

As a result, phishing, ransomware and data theft continue to get worse. Eighty-three percent of organizations experienced a successful email-based phishing attack in 2021, a major jump from 57% in 2020, according to Proofpoint data.

And as shown by incidents such as the Colonial Pipeline attack, just a single compromised password can have a far-reaching impact.

Ditching the password

In response, many large security vendors and startups have been pushing passwordless authentication as the ultimate answer.

But the CEO of one startup wonders if just making the technology available — and proving that it works — will not be enough.

Mickey Boodaei, a serial entrepreneur in the security industry whose previous companies are Imperva (which went public) and Trusteer (acquired by IBM), is now aiming to help kill off the password entirely with his current company, Transmit Security. The startup, which he cofounded in 2014 and raised $543 million last year, is helping to prove that the technology for businesses and individuals to go passwordless is ready for primetime, Boodaei said.

And once regulators recognize that passwords are no longer a necessity, he believes that banning passwords outright will be inevitable.

“I actually believe that because of the changes in the market today — because of the education that we’re seeing around how bad passwords are and how good passwordless authentication is getting — I believe that in a few years from now, we’ll actually see the regulators banning passwords altogether,” Boodaei said in an interview with VentureBeat.

This would likely not happen all at once, but might go vertical-by-vertical — likely starting with financial services — and region-by-region, he said. Boodaei said he didn’t have a prediction for when it might happen, but thinks that “it’s possible in some verticals, in some regions, for this to happen sooner rather than later.”

“I think that once the first regulator does that, the others will follow very quickly,” he said. “Once the regulators are convinced that alternatives are ready and that the alternatives prove to be a much better security solution than what we have today — it’s going to be a no-brainer for them to actually ban passwords altogether.”

Ultimately, Boodaei said, “there is no reason to allow passwords anymore.”

Days are numbered

Without a doubt, passwords are “a treasure trove for bad actors,” said Greg Dracon, a partner at .406 Ventures, who has led the firm’s investment into passwordless authentication startup HYPR.

Passwords are “easily sold on the dark web. They’re monetizable. They’ve helped to encourage the ecosystem around cybercrime,” Dracon said. “And it’s a pain in the neck to rotate or change them.”

With all of these issues, “passwords need to go away,” he said. And with the availability of scalable passwordless authentication technologies such as HYPR, passwords will undoubtedly be phased out over time, Dracon said.

Yet even with all the known risks associated with passwords, “we still have them — and companies are still deploying password-based systems because the upfront costs are perceived as cheaper by most organizations,” said Anders Ranum, a partner at Sapphire Ventures. The venture firm that has backed passwordless authentication providers including Auth0 (acquired by Okta for $6.5 billion) and Ping Identity.

However, “as buyers of these systems get more comfortable understanding the total costs and the business benefits with less customer friction, we will see rapid adoption of new, secure passwordless technologies,” Ranum said.

And while he doesn’t think regulators will ban passwords “in broad strokes” any time soon, the shift to passwordless could be accelerated if, for instance, cyber insurance vendors begin to require this type of technology in order to provide coverage.

Password crackdown

Still, it’s not out of the question that regulators will crack down on the use of passwords at some point in the future, according to Jonathan Blavin, a partner at the law firm Munger, Tolles & Olson, who specializes in privacy and data security cases.

“If the status quo shifts in that direction and you get sufficient consensus that this is what you need to protect your users — maybe you’ll get there,” Blavin said. “I don’t think it’s going to be immediate, by any means. But I could see it happening in the medium- to longer-term horizon.”

In the meantime, Blavin said he does expect regulators to increasingly focus on mechanisms to encourage the deployment of passwordless authentication.

As of right now, however, he hasn’t seen any government proposals suggesting a new security standard, in which the use of passwords isn’t sufficient for data protection.

“I think at most what you would get is guidance from regulators, saying that we think that this is a best practice,” Blavin said. “And then potentially over time, that guidance could become a true security standard that regulators will look to in investigating data breaches.”