History and Rise of "Passwordless"


Learn the history of passwordless, and how it became popularized. From OTPs to MFA to mobile.

A Brief History of Passwordless

Passwords have been our main digital authentication method since 1961, though its vulnerability to hacking was demonstrated within one year.

Encrypted password storage and public-key cryptography were developed in the late 60s to early 70s.

But the 1980s brought the first version of “passwordless” authentication. This came in the form of dynamic, one-time passwords (OTP) held on physical fobs.

OTPs eventually developed into two protocols: time-based OTPs (TOTP) and cryptographed hash-based message authentication codes or HMAC OTPs (HOTP). Dynamic OTPs are still widely used as an authentication protocol.

The late 1990s brought single sign-on (SSO) into use. SSO helped organizations manage user authentication across an entire network of applications. However, fobs and other hardware tokens remained in use and popular throughout the 1990s and 2000s.

Smart cards are one hardware token that emerged in the early 2000s. These physical electronic authorization cards are sometimes used as passwordless security tokens.

The 2000s also saw the combination of these various passwordless and password-based authentication methodologies with the rise of multifactor authentication. AT&T actually holds the earliest recognized patent dating to 1998, but multi-factor auth (MFA) and single sign-on (SS0) really took off when organizations like Google began building them into their applications as a form of password-independent authentication.

The financial sector adjusted quickly. In 2005, the Federal Financial Institutions Examination Council (FFIEC) set out new user authentication guidelines. These included multi-factor authentication, biometrics, OTPs, and token-based authentication.

How Passwordless was popularized

As MFA and thus passwordless authentication strategies became more popular, passwords and authentication itself became a popular topic again.

The first sign of media interest was at a 2004 IT security conference, where Bill Gates publicly advocated for making passwords obsolete. Gates went over several of the security threats inherent to knowledge-based passwords. He then advocated for newer authentication technologies, including a tamper-resistant biometric ID card.

In late 2011, IBM predicted that “multi-factor biometrics” would become the dominant authentication protocol, creating a completely passwordless world. Their influential thought leadership spawned many other predictions and thought pieces.

Google pushed things further in 2013, when Eric Grosse, VP of security engineering, stated that "passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe." The company then made multi-factor authentication protocols standard within the organization, and that same year, Google’s information security manager, Heather Adkins, put it bluntly, “Passwords are done at Google.”

Then in 2014, after Russian hackers accessed the login credentials for over 1.2 billion internet users, Avivah Litan, VP Analyst at Gartner, reiterated the need to go passwordless. In her words, “Passwords were dead a few years ago. Now they are more than dead.”

Finally, the rise of mobile has boosted the popularity of passwordless authentication. In 2013, Apple introduced Touch ID (and Face ID has since followed) making passwordless biometric authentication ubiquitous today. Additionally, passwordless strategies (i.e. sending an SMS-based magic link) allowed mobile-first businesses, like Uber and Lyft, to authenticate users and perform account verification in a single easy step.

Is “Passwordless” here to stay?

There is no doubt that authentication technology and methodology will continue to evolve. The number of viable authentication methods will continue to grow, and inherently, most of these will be a passwordless one. Since two-factor and multi-factor authentication are widely popular (and in many use-cases a requirement), passwordless is definitely here to stay.

However, this doesn’t mean that password-based methods will be completely replaced or that passwordless is right for everyone. To learn more about specific passwordless technologies and if they’re the right choice for you, keep reading our series on passwordless authentication.

Rishi Raman