Since the internet was alive individuals and organizations have been reliant on passwords to keep their information safe and since then we've seen an alarming number of security breaches.
Usually these breaches warrant some kind of new password policy that must be followed to make passwords harder to crack. First it was forcing users to create passwords with numbers and letters, then it was requiring a mix of capital and lowercase letters, then adding symbols and making sure it was over a certain length which always seems to be increasing. Then we eventually got to a point where you can't use your name in your password and can't have any repeating numbers or letters.
Even with this evolution of password complexity requirements there are still mass data breaches. Now as 2FA (2 Factor Authentication) is being more heavily enforced it's creating a decrease in productivity and inconveniencing the user by making them wait for a prompt or a text with a number they'll have to type in within a certain amount of time. Not only do they have to wait for the prompt or enter a number from a text, they still have to enter their complex password as well which is hard to remember and is most likely being rotated out every 90 days. Enrolling users in 2FA can also be time consuming and complicated for some end users requiring one on one support. So how do we both protect our data better than we are now and make it easy and less burdensome than traditional 2FA?
A world without passwords! It's time we make passwords obsolete, we get rid of them once and for all. They are becoming too complex to remember and traditional 2FA is becoming too cumbersome. So, how do we have security without passwords? We use a combination of biometrics and a physical device. What if logging into your computer was as simple as looking at your monitor or putting your thumb on a pad and having your phone or watch with you. Or if logging into Facebook only required you to tap a fingerprint reader or look at the screen and have a physical device of yours present. It would be fast and easy.
But wouldn't it take a long time to transition from having passwords to a biometric + physical device setup? Not necessarily, all you really need to make this happen is Bluetooth and a fingerprint reader or some other biometric reader. What if desktop keyboards started coming with fingerprint readers in them, and all you had to do was make sure Bluetooth was enabled on your phone. A lot of newer computers like Microsoft's Surface computers are coming with face recognition or a fingerprint reader but even many old computers had fingerprint sensors. And it doesn't necessarily even have to be your phone that you use as the physical device, it could be a USB drive or a watch or really anything that could interface with your computer in some way. I chose Bluetooth because most computers, watches, and phones have Bluetooth.
How is it more secure than passwords and 2FA? Simple, you have to first authenticate using biometrics which proves it is you and you are physically at the device. Biometrics are in most cases very difficult to fake or crack. Then you need to authenticate with a physical device, a USB authentication device or a phone, watch etc.. This physical device doesn't just prove a second time it's really you and you're at the device it should also be used as a TOTP (Time Based One Time Password) key, which is a device that has a unique time based code that is also needed for authentication. In this case the TOTP password should be sent automatically to the computer when it is picked up by the Bluetooth. To bypass this security the attacker would have to somehow fake your biometrics and have some personal device of yours that was generating the correct TOTP codes. Which in my opinion is almost impossible to accomplish.
This is how I imagine a password-less future.