Going Passwordless: 5 Authentication Trends to Watch
Here’s a startling statistic: Roughly 80% of hacking-related breaches are still due to compromised, weak and reused passwords. This is especially concerning given that 99% of users reuse passwords not once, but 2.7 times on average between and across work and personal accounts. “As remote workers rapidly expand their digital footprint across more and more applications, they must make strong password hygiene a top priority.” Balbix’s CTO Dr. Vinay Sridhara said.
And here’s another stinger: findings from a recent study from Carnegie Mellon University’s CyLab indicate only one in three people who had accounts on breached domains changed their passwords. This and more was discussed at the 2020 Workshop on Technology and Consumer Protection.
Human error has always been an enterprise security hole that IT can’t fix, a clear vulnerability that exists when humans interface with machines. Security pros can reduce the vulnerability by taking steps to segment the network, add robust authentication, and enforce zero trust principles. To err is human, though, and IT systems still interface with humans for the foreseeable future. So the danger persists.
There are ways that IT can minimize the risk, something security pros are heavily focusing on. Authentication is a particularly weak link, so authentication systems are evolving, especially as cloud services proliferate and the danger from weak or stolen passwords increases.
Here’s how authentication trends are evolving right now to meet the challenge of human error.
Learn More: COVID-19 Sounds the Death Knell for Passwords – Passwordless Authentication Is the Future
1. Moving Beyond Password Policy
It is becoming increasingly evident that traditional password management and corporate policy on password creation simply doesn’t help.
Rules such as never using a password that has been seen in a breach, creating really long or complex passwords, and using unique passphrases are well-meaning but don’t actually work. Hackers still exploit password authentication even when these rules are in place.
“We defend against 100s of millions of password-based attacks every day, and our data shows that password rules are at best a distraction,” says Alex Simons, corporate vice president for Microsoft’s identity division. “When it comes to composition and length, your password mostly doesn’t matter.”
2. Leaning on Artificial Intelligence for Predictive Security
Late last year, while using a VPN and jetting around Asia for business, my primary bank account stopped working. Apparently my bank’s artificial intelligence system flagged me as suspicious even though I hadn’t packed my ski mask or fedora.
While the security lockdown was a major hassle that took months to resolve, the use of artificial intelligence for spotting security issues remains one of the newest and most promising methods for boosting authentication security.
Right now only some firms use AI to verify identity and suss out situations that look improbable, but soon AI will play an important role for businesses that are serious about security systems access.
“We’re going to see greater adoption of AI or machine learning-based technologies and behavior metric authentication,” predicts Kayla Gesek, product manager for authentication platform, OneLogin. “We’re moving to an era where the password will become only one of many authentication methods users might see to access accounts.”
Learn More: How Biometrics Is Becoming the Security of the Future
3. Taking Away User Password Control
A simpler step that moves in the same direction as AI-based authentication is the elimination of user-controlled password management. Passwords are a weak security system that gets even weaker when employees choose and control their own passwords. So some businesses are taking password control away from users much like passwords in the U.S. Navy are assigned instead of chosen.
This is taking the form of mandated passwords, or even authenticators that entirely skip passwords.
“Companies are starting to replace user-controlled passwords with an authenticator that gates access to a company-controlled password,” says Inbal Voitiz, head or marketing for authentication provider, Secret Double Octopus.
4. Adopting Passwordless Authentication
With the password as a security weak spot, another trend in authentication is doing away with them entirely. Instead of having users remember and type in passcodes, security vendors are racing to roll out passwordless authentication options that lean on biometric or other scanning systems much like users now skip passwords when turning on their smartphones.
“More companies are beginning the journey to a password-free workplace,” notes Voitiz. “Most companies can’t go cold-turkey, though, since they have many legacy systems and applications that depend on passwords and need to be taken off of passwords one by one.”
Along with artificial intelligence, these passwordless systems probably are the future of authentication. The journey will take time, however.
“With Apple turning to facial recognition, a lot of other companies have followed and we also are seeing an increase in iris scanning authentication,” notes Edward Whittingham, managing director for security awareness training firm, The Defense Works. “Voice recognition authentication is becoming increasingly popular, too.”
Learn More: Two Things for Securing a Remote Workforce You Don’t Want to Overlook
5. Making Multi-Factor Authentication the Norm
Easier than passwordless authentication, multifactor-factor authentication also is becoming a dominant method for securing computer systems. What started as the province of banks has filtered down to everything from project management software to social media accounts.
“We’ve seen a 200 percent increase in the adoption of multi-factor authentication over the last two years, which has put the technology in the hands of half of end-users,” reports Gesek at OneLogin. “This trend will continue to grow in 2020.”
Overall, eliminating human error will be tough or impossible. Businesses and security pros are well on the way to reducing the potential for human error inherent in current authentication methods, however.
Do you think passwords should be replaced with more secure alternatives? Let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!
