One of my favorite IT battle-scar stories comes from a Fortune 500 company, which forced employees to abandon their most popular password. Which was, of course, \u201cpassword.\u201d\nAfter some grumbling, many employees changed their passwords to \u201cpassword123.\u201d Soon after blocking that, IT managers found they needed to block \u201cpassword1234.\u201d And then \u201cpassword12345.\u201d\nAnd then things got ugly. The new most-popular password? \u201cf#!kIT.\u201d And then, \u201cf#!kIT123.\u201d The special characters are not there to make the passwords harder for hackers to decipher. I inserted them. Let\u2019s just leave it at that.\nPasswords, as any CIO will tell you, are the bane of their existence \u2013 and have been for more than a decade, ever since it became easier for thieves to break into computers over the internet than to literally lay their hands on our systems. According to Verizon\u2019s annual Data Breach Investigations Report, 81 percent of data breaches now leverage weak or stolen passwords. Only eight percent involved physical interaction with hardware.\nProper password hygiene, of course, demands long, hard-to-guess passwords that are changed often. As the password cat-and-mouse game makes abundantly clear, employees want the opposite: quick and easy access, with simple passwords that never change.\nEmployees by and large have been winning. And so, as a result, have cyberthieves. Because if employees have easy-to-guess credentials, hackers don\u2019t even need to phish to gain access.\nAfter more than a decade of fighting a losing battle with employees to safeguard corporate data with secure passwords, IT may finally be on the cusp of brokering a truce \u2013 and making the enterprise more secure \u2013 by eliminating passwords altogether.\nThe latest piece of the puzzle is the April 3 announcement from Intel regarding the availability of the latest version of Authenticate, which expands IT\u2019s suite of both OS and hardware-protected authentication factors to keep logins secure \u2013 all while simplifying access for employees. In fact, IT not only has the ability now to set policies using secure fingerprint, smartphone proximity and facial recognition. Authenticate can also disable passwords altogether.\nIndeed, 2018 could prove to be a watershed year in putting passwords on the endangered species list. Authenticate supports 6th Gen, 7th Gen and 8th Gen Core vPro processors \u2013 which means that if IT managers are on a five-year replacement cycle, chances are good that at some point this year, the number of PCs deployed that are capable of enterprise-grade multifactor authentication with surpass those that aren\u2019t.\nI started evaluating Authenticate on the new X1 Carbon from Lenovo ahead of CES, before the 8th Gen system was announced.\nFirst, a word about the X1 Carbon: wow. The 8th Gen Core system is just about the perfect convertible. It\u2019s equal parts sleek and sturdy, with great responsiveness and battery life. As well, the uptick in performance over 7th Gen systems was impressive. That\u2019s to be expected, given that Intel designers made performance Job One for 8th Gen, shifting priorities after several years of focusing on mobility.\nSetting up Authenticate on the X1 Carbon wasn\u2019t difficult. Before I did, I had to enable facial recognition, as Authenticate leverages the Windows Hello enrollment mechanism for that.\u00a0 (Facial recognition is the only factor I used in Authenticate that was not hardened and protected only by the OS.) From there, I set up factors shielded by the hardware, below the OS: the integrated hardened fingerprint sensor, secure Bluetooth on my Samsung Galaxy Note 8 and the protected PIN. The PIN is entered on a digital keypad in a secure window with a scrambled layout as an added safeguard against screen scraping.\nI set up my policy, also protected in hardware, to require two factors \u2013 in my case, facial recognition and smartphone presence \u2013 with fingerprint and protected PIN as alternates. And then, once I was comfortable, I went ahead and disabled password logon. Poof!\nI can appreciate that that sounds as scary to some of you as it does exciting. But let me try to reassure you.\nOne pushback I hear is that factors like facial recognition and some fingerprint sensors today are possible to spoof. But with Authenticate, it\u2019s not possible to spoof fingerprint authentication with software because the entire process happens in the hardware. As a result, tricking biometrics is limited to physical access \u2013 which, as we\u2019ve discussed, is a much smaller concern for IT than cyberattacks.\nEven if thieves did physically fool into the fingerprint sensor, they still wouldn\u2019t get access \u2013 because, with multifactor authentication, the sensor is only one of multiple keys required for entry.\nPerhaps the best part of multifactor authentication, though, are the prospects for employee compliance. Multifactor authentication is easy for employees to set up. And, more important to them, PC access is virtually effortless. Which means employees won\u2019t fight IT efforts to keep enterprise assets safe.\nSo, IT managers can find something else to worry about beside the next round of easy-to-guess passwords. That doesn\u2019t sound so scary, does it?