Identity theft and data breaches are less likely to occur in an environment without passwords.
World Password Day will be recognized on May 5 this year – but isn’t it time to rebrand it to something more suitable for the future? We now have the technology to replace passwords with stronger, more convenient methods of authentication.
Passwords in one form or another have existed for centuries, and in the computing environment since the early 1960s, but they’re not the most secure option for a modern, digital environment. We know that billions of passwords have already been exposed from data breaches, which is proof that enterprises need a solution that provides maximum security for both employees and customers. Unfortunately, user-generated passwords are one of the biggest barriers to this goal, with 61% of data breaches involving the use of unauthorized credentials.
Benefits of reducing, then eliminating passwords
Passwords are familiar to many, and it will take time for people to get used to the idea of a truly passwordless environment. However, there are numerous reasons for a company to stop using passwords. Here are some of the benefits:
- Reduce the risk of a breach: Passwords are one of the easiest and most common attack methods used by bad actors.
- Avoid the domino effect: Many customers reuse passwords, so a company won’t be as exposed if they share a customer with another company that is breached.
- Eliminate storage concerns: Without passwords, no database is at risk of being compromised.
- Lessen identity theft: One in ten Americans currently fall victim.
- Create a better customer and employee experience: It’s faster when users don’t have to remember a password.
Data breaches will be far less likely without passwords because they are the easiest way for an attacker to get into a network or compromise an account. If attackers can access an account with sufficient privileges, they can view and expose sensitive data. Identity theft is also less likely because it requires much more effort to steal a physical device or intercept a one-time passcode or biometric data. Using passwords are low-effort activities that cybercriminals prefer.
Customers also appreciate a passwordless environment because they don’t have to try to remember their password at checkout. A third of customers are lost at checkout because they can’t remember details like passwords. Customers have many options these days and a limited attention span; no one wants to sign up for a new service if it’s time-consuming. Complicated password rules have good intentions around security but are terrible for user experience. People are bound to forget those passwords, and resetting them adds friction to the process. It’s exhausting and eliminates the excitement of the purchase.
There’s also a solid business case for going passwordless. First, look at the cost of a breach to an organization. Passwordless authentication will reduce a company’s breach risk dramatically. Second, consider how many customers are typically lost at checkout and registration and the unrealized value of those customers. Passwordless will increase that conversion rate. Third, what percentage of help desk tickets are dedicated to password problems? For most companies, it is around 80%. The help desk is a big cost center and eliminating these tickets will reduce costs, which can vary depending on salaries paid to the IT staff and the employees who experience downtime while waiting for their service ticket to be completed. Also, consider that employees save time and are more productive when passwords aren’t needed. It’s estimated that each employee spends almost 11 hours resetting passwords every year. Once you multiply that by every employee in a company, it’s a significant amount of lost productivity.
Steps to becoming passwordless
Once a company has considered all of the benefits and is ready to move forward with passwordless, the first step is to centralize user authentication, also known as single sign-on. Then add multi-factor authentication for an additional layer of security, because this is the main thing organizations can do to protect themselves from an attack. Then slowly begin removing passwords altogether by adding things such as risk scoring and enabling passwordless login using an alternative method.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Some of the types of passwordless authentication from the user experience side include biometrics such as fingerprints or a face scan, QR code, trusted device or a magic link. It can also be a simple and rather insecure method of “password vaulting,” or a company could opt for the security of FIDO (Fast Identity Online) which is an industry standard for passwordless authentication, but has additional applications or device requirements to implement.
To recap, the key components to achieving passwordless authentication are:
- SSO: Centralize authentication and enable MFA
- Risk: Being able to move authentication decisions into the background based on a user’s behavior, location and device remove friction from the process.
- Device/OS: Mobile and web users have their own unique requirements. Leverage what your customers and employees can use and what your applications are ready for.
- Organizational alignment: You need buy-in from senior staff, users, the help desk and developers. Everyone has to be rowing in the same direction.
The future of passwords
While passwords are fraught with security risks, it will take some time before they become true relics of the past and go the way of the cassette tape and floppy disks. People have been using passwords with their computers for around 60 years, so change will take time.
Meanwhile, IT leaders can continue on their quest to maximize security while minimizing user friction through passwordless authentication. They can use concepts such as authentication and risk to help answer questions within their organizations and reach the ultimate goal of a passwordless future.
Andre Durand is CEO of Ping Identity (NYSE: PING) which he founded in 2002 to secure the internet through identity. Ping is a leading provider of enterprise identity security serving more than half of the Fortune 100 and protecting over 3 billion identities. Andre founded the identity industry conference, Identiverse, to accelerate the adoption of identity and serve as a community resource for identity industry professionals. Prior to Ping Identity, Durand founded Jabber to commercialize the Jabber open-source instant messaging platform which was acquired by Cisco in 2008.