COVID-19 Sounds the Death Knell for Passwords – Passwordless Authentication Is the Future
It seemed like a strange feature for Apple to promote, even compared with the enthusiastic promotion of custom emojis as the next great reason to buy an iPhone. But as usual, Apple was onto something.
Apple’s introduction of passwordless authentication through a touch sensor, then later by facial recognition, was a big hit. Consumers now expect it, and typing a password to access your phone is a strange throwback experience that many people barely even remember. Who knows their phone’s password these days?
People still know passwords in general, though, specifically the same five passwords they use repeatedly to log into corporate tools and web services. Even forced password resets don’t jar loose these easy-to-remember passwords that make logins less painful; most people just use a variation of their main password in such cases.
This is why IT security experts have been working on systems for widespread passwordless authentication. And the COVID-19 password will accelerate the pivot to passwordless authentication. Jumio’s CEO Robert Prigge says, “Password-based authentication, multi-factor authentication (2FA) and knowledge-based authentication (KBA) will be a thing of the past much sooner than previously anticipated, and businesses will look to more sophisticated and secure login options for current and prospective users.”
The global pandemic has sounded the death knell for passwords that also opened the door for a rash of account takeover attacks (ATO) that spiked during the crisis. Here’s why passwords are going away and soon will be replaced by passwordless authentication mechanisms.
Check out the 5 key benefits of passwordless authentication and how it can reduce a rash of identity-based cyber attacks.
1. Reduces the Use of Weak Passwords
Data breaches from weak passwords is one of the biggest IT security threats today. A recent OneLogin study on password practices showed that 72% of people have trouble remembering passwords. This trouble leads to many employees using the same passwords for their consumer accounts as they do for their corporate accounts in order to make life simpler, with disastrous results.
“Passwords are hard for people to remember, so they resort to password reuse and easily guessed patterns,” notes Alex Simons, corporate vice president for Microsoft’s identity division. “Passwords are not an effective security measure. They are a weak link.”
Learn More: Weak Passwords Continue to Elevate Risk
2. Eliminates Stolen Passwords
Not only are weak passwords a problem, but so are stolen passwords. Passwordless authentication does away with both the corporate liability of mishandling passwords that can be stolen later, and direct theft of employee passwords.
“Getting rid of passwords means there is one less thing for attackers to target, and one less thing that programmers and IT staff can leave exposed,” says Inbal Voitiz, vice president of marketing for authentication provider, Secret Double Octopus.
“With all its money and competent engineers, Facebook exposed in April last year 540 million records of users’ names, IDs and passwords out in the open on unprotected servers,” she notes. “That same month, Facebook also admitted to storing millions of Instagram users’ passwords in plaintext format!”
3. Ends Phishing (and Unauthorized Sharing of Accounts)
Phishing is a huge problem for enterprise security. Roughly 32% of data breaches involve phishing, according to Verizon’s 2019 Data Breach Investigations Report, and 78% of cyber-espionage relied on it.
Phishing vulnerability disappears when passwords are eliminated, however. Employees also cannot share corporate logins with colleagues or friends when there’s no password to share.
“The most immediate security win with passwordless authentication is that users don’t control the password, which means they can no longer lose them or surrender them to a credential theft attack,” notes Voitiz. “When users don’t know their password, they cannot give it up.”
Learn More: Password Managers: To Buy or to Build?
4. Reduces Application Friction
Authentication equals friction. Prompting for credentials hampers productivity and frustrates users, slowing them down in the best of times and locking them out of systems in the worst cases. This hurts productivity and focus.
Passwordless authentication significantly reduces authentication friction, as every smartphone user knows. It makes security less of an annoyance and more of a privacy feature.
With passwordless authentication, there’s also more scope for running multiple authentications in the background so there’s less user disturbance when bouncing between applications.
5. Saves Money
Helping employees with password issues is a frequent and time-consuming chore for most IT departments. It also costs a fair amount of money for most businesses, both in terms of IT resources and the time employees lose while waiting to get access to a system again.
“Passwords are costly to support,” says Simons. “For many enterprises, managing password resets is the single largest IT expense item.”
This cost center goes away when employees no longer need a password.
“Without passwords, there is nothing to manage and a lot less employee downtime,” says Voitiz. “With 25 percent to 40 percent of all helpdesk calls due to password problems or resets, it is clear why removing passwords saves money.”
The challenge with going passwordless is that it will take some time before all systems and cloud services support it. Realistically, passwords still are with us for a little while longer. Businesses can purchase services and hardware that support passwordless authentication, but complete migration will take time.
“Going passwordless is a journey for most working enterprises,” stresses Voitiz. “There is no magic switch you can flip and everything goes passwordless.”
The future of identity management is clear, however, and passwords only play a limited role in that future. Just as the iPhone still has a password, so too will enterprise systems. The days when most employees use them are numbered, though. Passwordless authentication is the future.
Do you think passwords will become extinct sooner than expected? Comment below or let us know on LinkedIn, Twitter, or Facebook. We’d love to hear from you!
