Passwords should become a thing of the past. Here's why

Password-based authentication has become unwieldy, insecure and is the cause of most data breaches

Password-based authentication has become unwieldy, insecure and is the cause of most data breaches Image: TheDigitalWay from Pixabay

Adrien Ogée
Project Lead, Cyber Resilience, World Economic Forum
Parker Crockford
Director of Policy & Strategic Accounts, Onfido
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


When the man who invented passwords says it’s time to move on, it probably is. Four years ago, Fernando Corbato, who invented the first computer password in the 1960s, said that passwords had become "a nightmare”. Considering that his creation was not intended for the web, how data breaches have shaped the digital era, and the rise of privacy-awareness, it’s clear that things need to change.

Have you read?

Passwords were once one of our most trusted security measures, but over the past decade, the average person’s digital footprint has been exposed to increasing numbers of third parties. Now the average consumer manages over 191 pairs of usernames and passwords. It is almost guaranteed that people reuse the same passwords or tactics to authenticate across various services.

What’s wrong with passwords?

Most of the recent data breaches stem from stolen passwords. As digital platforms pile up gigabytes of data, including personal information and the credentials we use to get access to their digital services, the cost of attacks for hackers has decreased significantly. You can now buy login credentials to someone’s bank or Uber account on the dark web for as little as $7. Knowledge-based authentication, whether with PINs, passwords, passphrases, or whatever we need to remember, are not only a major headache for users - they cost a lot of money to maintain. Without even looking at the costs of a cyberattack, the mere costs of password management, of time lost by employees typing passwords and chasing the IT department when they fail, can climb up to $70 per incident. And with up to 50% of all help-desk calls being password resets, the costs can mount up quickly.

How to make life even easier for cybercriminals
How to make life even easier for cybercriminals Image: Statista / SplashData

Passwords aren’t just difficult to manage, they are inconvenient, insecure and expensive. Gartner predicts that by 2022, 60% of large businesses and all medium-sized companies will have cut their dependence on passwords by half. How?

Privacy-enhancing authentication technologies

Several trends have begun to enable the market to go passwordless and users to finally have control of their data. The first major government push has come with GDPR in Europe and the California Privacy Rights and Enforcement Act.

Consumers have become accustomed to having ‘free’ services, which are ultimately paid for from the sale of their data and without their explicit consent or knowledge - but users are starting to resist. Examples include the class action lawsuit filed against Facebook in Illinois and the Swedish data protection authority issuing its first fine under GDPR to a school for its improper use of facial recognition technology.

To meet the requirements established by these new laws, products and services must be designed with privacy at their core and provide complete transparency to their users. If services are built in this manner, we will be able to build biometrics in a trusted manner, which leaves only the question of whether companies can verify the information being submitted by their applicants. One way to solve this is with a scan of a person’s government-issued ID and a facial similarity check in combination with verified attributes.

A multistakeholder challenge that requires a multistakeholder approach

Both governments and private industry have a critical role to play in providing access to verified attributes. In 2018, the Better Identity Coalition released a report that calls for trusted government sources to open up access to the attributes they hold. Many governments have looked to help solve the problem of how to verify who someone says they are in a remote setting, with initiatives such as eIDAS in the EU, the Pan-Canadian Trust Framework, and Australia's Trusted Digital Identity Framework.

For the world to become passwordless, we need to put users in control of their own data. This will allow the work of bodies such as the World Wide Web Consortium, which develops global standards for the web, and the Fido Alliance - an industry association dedicated to replacing passwords as our means of digital authentication - to rely on our devices and real-time attributes, so that users can verify themselves remotely and more securely.

The passwordless future is close. We will continue to see progress in 2020, but we need to act now to close the gap between trusting real-time verifications and ending our dependency on passwords. This can be done by providing a more trusted, secure, and convenient user experience, one which helps people protect how their data is being used while at the same time providing companies with access to a decentralized network to trust digital identities at scale. It will allow digital platforms to more easily onboard users between different digital services in real time, providing a trusted level of interoperability for an unparalleled user experience. Managing 191 digital accounts will become a breeze, and people will win back control of their identity.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

These sectors are top targets for cybercrime, and other cybersecurity news to know this month

Akshay Joshi

April 22, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum