Many computer users dream of a day when the industry can move past its reliance on passwords to reach a more serene future of frictionless cybersecurity. But most IT and security professionals will tell you that day is still a long way off. The fact is that countless remaining devices and systems have been aging and based on password security for decades. There can be no turning back time for such legacy systems—as long as they are in use, we will depend on passwords, at least to some extent. For most organizations, that means they are stuck in the password-filled present, but that doesn’t mean there isn’t a passwordless future. Before we can get to that future, however, we need to make sure we are protecting ourselves on the journey there.

The Issue With Passwords

Passwords usually aggravate users due to all the associated friction. Nobody likes memorizing long strands of letters, numerals and symbols to conduct the simplest business, but weak passwords tend to reward bad actors, which is, of course, the underlying problem. The goal of passwordless is to reduce the amount of friction and make authentication and authorization simpler for users. So, in essence, we should think of “passwordless” as being “frictionless,” based on simplifying the login process for users.

The trouble is that the safest passwords are typically the hardest to remember, so there is a high amount of friction. But in a world where hackers launch an average of 50 million attacks on passwords every day, which equates to 579 strikes per second, according to Microsoft, safety should override convenience, but that often isn’t the case. Verizon found that 60% of data breaches are now attributed to compromised credentials. Attackers often prey on a user’s natural proclivity for convenience when people reuse the same ID and password combination for multiple sites. Once those passwords and IDs appear on the dark web, they can be used for a range of different logins.

Surviving in the Present

In the short term, we need to bridge the gap between the need for a strong, complex password with the reduction of friction for employees. Nearly half of all Americans (41%) still rely on memory to recall their passwords, meaning that they often adopt simple or repeatable words that are easy to remember. There is an easy solution that both reduces friction and improves security: Password managers. Organizations taking security seriously can offer employees a subscription to a password manager, which eliminates the need for employees to remember complex passwords while still providing sufficiently robust credentials. Additionally, organizations should consider using tools that regularly check if passwords are compromised, further ensuring the strength of the passwords used.

Passwords aren’t enough on their own, however, and need to be bolstered by some of the “passwordless” security protocols that we have been using for years. Multifactor authentication (MFA) is an age-old concept that relies on something you have (a device or application) plus something you know (a captcha or existing account) to prove your unique identity and authorize your access. Two-factor authentication (2FA) was the first widespread adoption of this method, in which exactly two authentication factors were required, but with the threats becoming more sophisticated, the industry has been shifting towards requiring more than two factors to better safeguard against attacks like credential stuffing. These help make the organizations more secure, but also add friction which a passwordless future promises to eliminate.

The Road to Forgetting our Passwords Forever

We have seen many of the biggest tech companies like Apple, Google and Microsoft lead the charge into a passwordless future with the use of biometric recognition or facial recognition. These approaches can be an effective alternative to passwords as it is much harder to fake someone’s fingerprints or face than to guess their password, but it still doesn’t solve the problem of all the legacy systems that will be in use for years to come.

The only real path forward is for organizations to commit to updating legacy systems and technologies. As the organization’s technology advances and becomes more cloud-based, authentication can change along with it. The process is slow, but if it is done intentionally, organizations can reduce the number of things passwords are needed for and then the number of people who need to use passwords before finally eliminating them.

The passwordless future feels close because we have the technology to do it, but progress will be slow as applications are migrated to adopt passwordless authentication. So, while there is no way my password manager will be empty by next year or even the year after that – by 2030? That’s possible.