BORDER MANAGEMENT, DEFENSE AND INTELLIGENCE, ENTERPRISE SECURITY, FINANCIAL SERVICES, HUMAN RESOURCES, LAW ENFORCEMENT
In the last year alone, corporate data breaches have affected a “who’s who” of major corporations. Some of the biggest names in IT, financial services, and health care have suffered cyberattacks. Looking across a broader landscape, 82% of data breaches in businesses somehow involve the human element, with stolen credentials representing one of the top ways social engineering breaches occur.
A study sponsored by Yubico and conducted by Ponemon Institute concluded that individuals and businesses are still falling short despite the increasing concern regarding privacy and protection online. 50% of IT respondents and 39% of individual users reuse passwords across workplace accounts, and 59% said that their organization relies on human memory to manage passwords.
The challenges passwords pose are plain to see. They’re unsecure, easy to steal, aggravating to use, inefficient, and costly to maintain. None of these perceptions should come as a surprise. But the fact that passwords are still such an integral part of our lives after six decades forces us to remind ourselves that there are better ways to protect our access to important sources of material.
Let’s take a quick look at these challenges. First and foremost, passwords don’t protect people. Surveys show that compromised passwords caused 81% of all breaches. The average person reuses passwords up to 14 times, giving hackers access to a big part of one’s digital portfolio if they can crack the code once.
Passwords can be annoying. If your workplace’s IT security department still relies on passwords, it probably has upped the requirement for complexity, forcing you to remember complicated codes just to get work done. Apps are requiring longer and trickier passwords, too. Then there’s the problem with volume: A typical consumer has to remember up to 200 passwords. It’s no wonder that surveys show consumers put such a high value on a frictionless experience when it comes to authentication.
Last, passwords can be costly and inefficient. Widespread password use in corporate settings slows down worker productivity. Password use also forces the security department to manage password issuances and spend up to an average of $70 per user on re-sets.
What’s the solution? Passwordless authentication.
The concept has been around for a while. Passwordless authentication is an authentication process that can verify the user’s identity without entering a password. There are different ways to accomplish this – some involving multifactor authentication, others just relying on one form. Passwordless authentication bases the authentication requirement on factors that the user uniquely possesses (a one-time password generator, a registered mobile device, or a hardware token), owns (a biometric signature such as fingerprint, faceprint, or retinal scan technology), or knows (the user’s first celebrity crush or favorite ice cream flavor).
Biometrics are playing an increasingly important role in passwordless authentication. Biometric use is common in consumer applications such as Apple Face ID and fingerprint authentications on most mobile devices. Biometrics most often tie the user to a device itself, while other authentication methods guard the gates to web-based resources accessed by the device.
Passwordless authentication solves most of the problems passwords create. It provides:
While passwords are vulnerable to phishing attempts, biometrics and hardware tokens aren’t. Plus, passwordless authentication removes the problem of duplicate passwords and sloppy password management practices like writing codes down on sticky notes. Passwordless also offers better protection against other credential access attacks, such as man-in-the-middle attacks and keylogging.
A better user experience.
Going passwordless relieves users’ stress, removing the need to remember complex strings of letters, numbers, and special characters. Easier authentication processes improve the work experiences for people in the office. Even more important, it eliminates the prospect that a poor log-on experience will convince a customer to abandon a purchase.
Passwordless authentication is cheaper in the long run. Passwords require organizations to maintain password management systems so users can perform periodic password refreshes and the occasional password reset. Shifting authentication to biometrics, single-sign-on (SSO) or federated identity, and other methods lightens the load on helpdesks and enables organizations to scale back educational programs showing employees how to avoid phishing scams.
Passwords aren’t going away tomorrow.
They’re entrenched in many corporate workflows, and some users may even prefer to deal with the devil they know rather than change to a new form of sign-on. But the passwordless trend is gaining acceptance. According to one recent survey, 92% of end users believe their organization will scrap passwords sometime in the future.
Next time you see a story about pilfered passwords or frazzled users, remember: There’s a better way.