Evolution of Authentication and Accounting: From Passwords to Passwordless
Evolution of authentication technologies from the 1960s to the 2010s (major milestones highlighted). Early computing introduced passwords; later decades added hashing, public key cryptography, one-time passwords, MFA, and biometric methods, culminating in modern passwordless approaches.
The concept of user authentication in computing has a 60+ year history, intertwined with the notion of accounting (tracking user access and resource usage). In the 1960s, the first computer passwords were introduced in MIT’s CTSS time-sharing system. Users were given passwords to isolate files and account for their CPU time on shared mainframes (cybersecurity.asee.io;cybersecurity.asee.io). Notably, this first password system was quickly compromised – an MIT researcher famously printed out the password file (stored in plaintext) to get more computing time. This early incident highlighted both the security weaknesses of naive password implementations and the necessity of tracking user activity (accounting) in multi-user systems.
Through the 1970s, improvements came: systems began storing hashed passwords instead of plaintext, often with added cryptographic “salt” to make attacks harder. At the same time, academic work on asymmetric cryptography (public/private keys) in the late 70s laid groundwork for future authentication models Public Key Infrastructure (PKI) remained largely government/internal until the 1990s, when it became foundational for secure web and enterprise logins (X.509 certificates, smart cards, etc.).
The 1980s saw the rise of One-Time Passwords (OTP) and hardware tokens (like RSA SecurID). Recognizing that static passwords were replayable, researchers developed OTP algorithms so that each login used a unique, ephemeral code. These were early two-factor authentication examples: something you know (PIN) + something you have (the OTP generator). Concurrently, enterprise networks adopted AAA frameworks (Authentication, Authorization, Accounting) with protocols like RADIUS (developed in the 90s) to centrally manage dial-up and network logins, including logging (accounting) of user activities.
In the 2000s, two major trends shaped enterprise identity: federated Single Sign-On (SSO) and broader Multi-Factor Authentication (MFA). SSO technologies (Kerberos in Windows domains, SAML for cross-domain web SSO) allowed one authenticated session to grant access to multiple applications, reducing the number of times a user entered a password. MFA expanded beyond hardware tokens to phone-based push notifications and SMS OTPs as mobile phones became ubiquitous. This decade also saw the dawn of compliance standards (like ISO 27001, PCI-DSS) which mandated stricter access controls and audit trails – reinforcing the need for robust authentication and user activity accounting in enterprise IT.
The 2010s accelerated toward frictionless and stronger auth. Biometric authentication (fingerprint, face recognition) went mainstream, first in smartphones (e.g. Apple Touch ID in 2013, Face ID in 2017) and then in laptops and corporate authentication via Windows Hello. Biometrics offered “something you are” as a convenient factor, often paired with secure enclaves/TPMs to protect private keys. By the late 2010s, the industry reached for passwordless solutions. The FIDO Alliance introduced standards for cryptographic authenticators (U2F and FIDO2/WebAuthn) enabling logins with a private key stored on a device or security key and a simple user gesture, without any password. Major tech companies began promoting “phishing-resistant” authentication. Behavioral analytics also emerged – using AI to verify identity based on user behavior patterns (keystroke rhythm, mouse movements) for a seamless invisible layer of authentication.
Critically for enterprises, Microsoft, Google, and Apple in the late 2010s laid the groundwork for “passkeys” – a consumer-friendly term for FIDO2-based passwordless logins synced across devices. Microsoft introduced Windows Hello for Business as a core feature of Windows 10, allowing enterprise users to authenticate to AD and Azure AD with an asymmetric key tied to their device, instead of a password. By the early 2020s, Microsoft achieved FIDO2 certification for Windows Hello, making it a standards-based passwordless method(fidoalliance.org). Microsoft’s own workforce reported over 90% of employees using passwordless logins by 2021, after deploying Hello and Authenticator app internally. This journey from simple passwords to passwordless logins represents a continuous effort to improve security while preserving usability – precisely the balance modern enterprises must strike.
Having traced the evolution, we now focus on how a contemporary enterprise can practically implement passwordless authentication. The next section maps out the journey for our hybrid AD/Azure AD environment, leveraging Microsoft’s ecosystem (Windows Hello for Business, Azure AD, and MSAL-enabled applications) to achieve a passwordless future.
+ There are no comments
Add yours