Despite widespread acceptance, passwords present a growing problem in modern digital society. The long history of password use has led to a range of less-than-secure behaviours among human users, which is a recipe for disaster when combined with greater expertise among hackers. Weak passwords are common, repeated use of the same password is normal, and hacking-related breaches are getting more sophisticated every day. It might be time to start your passwordless journey.
Most data breaches are front-ended by credential harvesting campaigns, which is when large numbers of credentials are stolen for reuse. Credential stuffing attacks are also common, which is when large-scale automated login requests are used to gain entry to a system. In many break-in cases, unauthorized access to passwords is the weak link used by criminals to gain access to an organization’s most critical data and infrastructure assets.
Along with stealing passwords and using brute-force computing power, human users themselves represent a weakness in the authentication process. According to the Verizon 2019 Data Breach Investigations Report, 80% of hacking-related breaches leveraged weak and compromised passwords. According to an analysis by the UK’s National Cyber Security Centre (NCSC), “123456” and “123456789” were the most widely used passwords, along with “qwerty,” “password,” and “1111111.”
A large percentage of security breaches are related to dodgy passwords, with 44 million current Microsoft users using passwords that have been compromised in past data breaches. Figures from Google are in agreement, with two different reports identifying 316,000 users, and 1.5% of all account logins, to be using already compromised passwords.
Despite more and more money being invested into cyber-security, these problems remain persistent due to the normalized and widespread acceptance of passwords. According to Forrester Research, 80% of security breaches involve privileged access abuse, and 66% of companies have been breached an average of five or more times.
Now more than ever, organizations need to look beyond usernames and passwords. Whether it’s authenticating employees or identifying customers, something else is needed to ensure controlled access to valuable data and critical IT systems.
What is passwordless authentication?
Despite their ubiquity and long history of use in digital society, passwords are increasingly being replaced and augmented with other verification schemes. Passwordless authentication describes a range of approaches that attempt to authenticate users by other means. There are many ways to establish identity and approve credentials without using a password, including possession factors, biometric factors, and knowledge factors.
• Possession factors – This is the use of devices or objects to prove identity, including mobile authentication apps, hardware tokens, or a code linked to a particular device, account, or address. Examples include FIDO2 and one-time PINs (OTP).
• Biometric factors – This is the use of personal physical data to prove identity, including body measurements. Examples include fingerprint data, iris recognition, and facial feature measurements.
• Knowledge factors – This is the use of knowledge factors to prove identity, including a PIN, passphrase, or other piece of knowledge. Examples include secret questions and user history.
Reasons to Start Your Passwordless Journey
In many ways, using a single user-defined password or “key” is the most obvious way to identify a human user. Times are changing, however, with compromised security, poor user experiences, and increased costs all influencing new authentication mechanisms. While only 5% of organizations currently use authentication that does not involve a password, according to Gartner, this number is expected to grow to 30% by 2023 due to the following three reasons:
Compromised security
The normalization and widespread acceptance of passwords has led to multiple types of identity-driven attacks. Compromised security arises for many reasons, including poorly chosen passwords, repeated passwords, phishing, and password spraying attacks. Theft, brute force, and poor password hygiene often result in account takeover attacks (ATO), with an actual or potential security incident recently influencing the adoption of multi-factor authentication (MFA).
Poor user experience
Entering passwords has always been frustrating, especially when you have multiple devices and accounts. Remembering passwords can be challenging, and password complexity requirements often vary between applications. Along with remembering multiple passwords, difficulties also arise due to authenticity challenges and the creation of new passwords. This often leads to frustration for customers and reduced sales for businesses. For example, a survey by the University of Oxford predicted that roughly a third of online purchases are abandoned at checkout because people can’t remember their passwords.
Increased support costs
Despite their intended simplicity, the use of passwords in the modern world often leads to increased costs and decreased efficiency. For example, people often contact customer support for password creation and management purposes, which creates an increased support burden and adds associated costs. According to LastPass, IT teams spend an average of four hours per week on password-related issues alone. According to Forrester Research, large organizations spend up to $1 million per year just to reset passwords.
Passwordless authentication has grown by leaps and bounds over recent years, with different technologies adopted to ensure safe and seamless verification. A number of protocols, specifications, and standards have been developed to leverage possession, biometric, and knowledge-based verification factors. Popular examples include FIDO2, multi-factor authentication (MFA), Windows Hello for Business, and Microsoft Authenticator.
If you want to learn more on how to start your passwordless journey, download our whitepaper.