The Key Challenges of Passwords – and the Benefits of Passwordless Authentication
The recent disclosure that thousands of Facebook passwords were stolen and stashed in an unsafe database provided yet another reminder of two things: the shortcomings of passwords themselves and the benefits of passwordless authentication.
The challenges passwords pose are plain to see. They’re unsecure, easy to steal, aggravating to use, inefficient and costly to maintain. None of these perceptions should come as a surprise. But the fact that passwords are still such an integral part of our lives after six decades forces us to remind ourselves that there are better ways to protect our access to important sources of material.
Let’s take a quick look at these challenges. First and foremost, passwords don’t protect people. Surveys show 81% of all breaches were caused by compromised passwords. The average person reuses passwords up to 14 times, giving hackers access to a big part of his digital portfolio if they can crack his code once.
Passwords can be annoying. If your workplace’s IT security department still relies on passwords, it probably has upped the requirement for complexity, forcing you to remember complicated codes just to get work done. Apps are requiring longer and trickier passwords, too. Then there’s the problem with volume: A typical consumer has to remember up to 200 passwords. It’s no wonder that surveys show consumers put such a high value on a frictionless experience when it comes to authentication.
Last, passwords can be costly and inefficient. Widespread password use in corporate settings not only slows down worker productivity – it forces the security department to manage password issuances and spend up to an average of $70 per user on re-sets.
What’s the solution? Passwordless authentication.
The concept has been around for a while. Essentially, it’s any kind of authentication that can verify the user’s identity without entering a password. There are different ways to accomplish this – some involving multifactor authentication, others just relying on one form that’s ideally suited to that application. It bases the authentication requirement on other factors that the user uniquely possesses (a one-time password generator, a registered mobile device, or a hardware token), owns (a biometric signature such as fingerprint, faceprint or retinal scan technology), or knows (the user’s first celebrity crush or favorite ice cream flavor).
Biometrics are playing an increasingly important role in passwordless authentication. Their use is common in consumer applications such as Apple Face ID and fingerprint authentications on most of today’s mobile devices. Biometrics most often tie the user to a device itself while other authentication methods guard the gates to web-based resources accessed by the device.
Passwordless authentication solves most of the problems passwords create. It provides:
While passwords are vulnerable to phishing attempts, biometrics and hardware tokens aren’t. Plus, passwordless authentication removes the problem of duplicate passwords and sloppy password management practices like writing codes down on sticky notes. Passwordless also offers better protection against other forms of credential access attacks such man-in-the-middle attacks and keylogging.
A better user experience.
Going passwordless relieves stress of users, removing the need to remember complex strings of letters, numbers and special characters. Easier authentication processes improve the work experiences for people in the office. Even more important, it eliminates the prospect that a poor log-on experience will convince a customer to abandon a purchase.
Passwordless authentication is cheaper in the long run. Passwords require organizations to maintain password management systems so users can perform periodic password refreshes and the occasional password reset. Shifting authentication to biometrics, single-sign-on (SSO) or federated identity and/or other methods lightens the load on helpdesks and enables organizations to scale back educational programs showing employees how to avoid phishing scams.
Passwords aren’t going away tomorrow.
They’re entrenched in many corporate workflows, and some users may even prefer to deal with the devil they know rather than change to a new form of sign-on. But the passwordless trend is gaining acceptance. According to one recent survey, 92% of end users believing their organization will scrap passwords altogether sometime in the future.
Next time you see a story about pilfered passwords or frazzled users, remember: There’s a better way.