The problems with passwords

There is considerable documented research on the problems with passwords which can broadly be categorized under three headings.

Poor user experience

A survey of 200 IT security leaders conducted by International Data Group (IDG) found that 62 percent of respondents reported extreme user frustration at password lockouts. In addition to password lockouts, the sheer number of cloud services and passwords that a user needs to log into to do their job has increased over the years.  According to research undertaken for NordPass in 2021, the average user has around 100 passwords.

Security risk

The security risks of passwords include credential stuffing (large-scale, automated login attempts using stolen credentials), phishing (attempts to deceive users and illegally acquire sensitive information), and brute-force attacks (password guessing). Due to the challenge of managing complex passwords, users often resort to weak passwords and they often reuse or only slightly modify old passwords across different accounts. As a result, 81% of breaches involve stolen or weak credentials according to Verizon’s 2020 Data Breach Investigations Report.

Operating cost

According to Gartner Group, 20% to 50% of all IT help desk tickets are for password resets. That’s time that could be otherwise spent on new IT initiatives. Forester Research adds to this finding by research showing the average help desk cost for a single password reset can cost upwards of $70 or more.

You may wonder, how could it possibly cost this much?

First, suppose the organization is conscious of best practice security processes (which they should be) before a password can be changed for an end-user. In that case, the identity of the user requesting the password change must be verified to mitigate the risk of an attacker using social engineering tactics to persuade the service desk to change a legitimate user’s account password. The process to verify end-user identity by manual means can be time-consuming.

Next, businesses may still be using interconnected legacy systems that require manually changing passwords in multiple places rather than a single change flowing across the environment seamlessly. It can require the helpdesk team to log in and use many different tools for changing a password in multiple systems for a single user account. Finally, there is cost of lost productivity due to the end-user being locked out while waiting on the IT service desk to reset their password.

The benefits of passwordless authentication

Passwordless authentication establishes a strong assurance of a user’s identity without relying on passwords, allowing users to authenticate using biometrics, security keys or a mobile device.  In other words, users authenticate with something they have and something they are, instead of relying on something they know (a password).  

Passwordless solutions replace passwords with authentication factors that are compliant with guidelines established by the FIDO Alliance, which is a collaboration of industry heavy weights such as chipmakers like Intel and Qualcomm, platform developers like Amazon and Meta, financial institutions like American Express and Bank of America, and operating systems such as Google, Microsoft, and Apple. 

FIDO supports the concept of platform authenticators, i.e., authenticators built into devices that the user already owns—their smartphone, their laptop, etc.—in addition to roaming authenticators (security keys).  It has revolutionized the deployment of high-security hardware-based authentication mechanisms in government and enterprise settings, and has also enabled better alternatives to two-factor authentication options in the consumer space such as on-device biometric authentication.

However, the credentials managed by those platform authenticators are lost when the user replaces their laptop or loses their phone. Consequently, the user can’t rely on platform authenticators to always be there for them when they need to sign in. This leaves the user with a choice of either having to buy a security key, or fall back to less secure, non-FIDO authentication when they sign in from a new device.

Clearly, it’s unrealistic to expect that every consumer to purchase and carry a specialized hardware device for the purpose of signing-in on the Internet, even if it offers stronger security. The simple rule in the consumer world is authentication has to “just work”, without requiring additional devices or inconveniences.

There are proposed changes to the FIDO specifications that would enable a better user experience around FIDO credentials (including multi-device FIDO credentials). In essence, the proposal will allow syncing of FIDO credentials’ cryptographic keys across multiple devices. If syncing is not enabled by the device vendor, for example if the user is using a new device from a different vendor which doesn’t sync with the user’s other existing devices, FIDO proposes a failover solution which uses Bluetooth to enable use of the existing device to facilitate authentication from their new device. While this is a step in the right direction, it still doesn’t solve the problem of authenticating when the existing device has been lost or stolen.

The benefits of Truuth Biopass

Today, many passwordless vendors only solve for a limited number of use cases and they often need to ‘fall back’ on passwords or security questions when the authenticating device is misplaced or stolen. These piecemeal approaches can leave security gaps while not fully solving for the weakness of passwords.

Truuth is leading the way toward a passwordless future with Truuth Biopass, an Authentication-as-a-Service solution that delivers improved usability with stronger authentication. Biopass gives users a frictionless login experience, while reducing administrative burden and overall security risks for the enterprise.

Truuth Biopass overcomes the user-experience and security challenges faced by piecemeal passwordless solutions. Biopass delivers the following benefits to enterprises and their users:

Security

·       Biopass integrates tests of user liveness in every biometric authentication. This mitigates the risk of presentation attacks by fraudsters using a photo, video, mask, or deep fake of the real user.

·       Biopass uses shared secrets across multiple trusted servers and multiple channels for each authentication. This makes the solution resilient to key theft, phishing, and Man-in-the-Middle attacks. 

·       Biopass user credentials are protected by 4 levels of defense – fragmenting, salting, encrypting & sharding. 

User experience

·       Biopass offers users flexibility to choose from a range of biometrics (face, voice, fingerprint) for authentication. 

·       Biopass empowers users to replace all usernames and passwords with device agnostic biometrics.  In addition to FIDO-compatible 2^nd factors that leverage hardware-based biometric sensors, biopass offers cloud-based face and voice biometrics so that users can authenticate securely on a wide range of devices.

·       Biopass enables users to seamlessly recover their account if they lose their mobile authenticator.  With biopass the user simply authenticates with their face and/or voice on another registered device.

Authentication confidence

·       Biopass is designed to comply with ISO 29115 LoA4 by delivering traceable evidence linking authentication to a specific user who has had their identity verified. Unlike many other authentication services, Biopass verifies the human behind the device.

·       Biopass enables dynamic ‘step up’ authentication for higher confidence in high-risk scenarios where the user is required to provide multiple biometrics to authenticate. 

·       Biopass can dynamically request the user to re-verify their identity via an eKYC process including the scan of a valid ID document and a selfie to match the user’s face.

Ease of deployment   

·       For businesses with existing IAM deployments, Biopass can be used as a white labelled service with enterprise branding that delivers a unified biometric MFA solution across a wide range of apps and enterprise services.

·       For businesses that have no current IAM provider (or those looking to migrate away from their current provider), Biopass delivers a full passwordless authentication solution including support for a wide range of enterprise applications and risk-based authentication based on configurable policies.

·       Biopass is built on a global serverless architecture that allows enterprise clients to deploy seamlessly to any region.  Enterprises define the service features they want to turn on or off in an admin portal, enabling compliance with jurisdiction-specific regulations including data sovereignty and data privacy.

Operating cost

·       Biopass enables migration away from passwords and the associated costs of password resets.

·       Biopass enables seamless account recovery by allowing the user to use their face and/or voice on any registered device. So even if a user forgets (or loses) their authenticator device they can still authenticate on other devices. This reduces cost of support calls to recover user accounts with traditional approaches such as security questions.

·       Biopass enables dynamic requests for re-verification of user identity via eKYC.  This reduces the cost of batch processing for KYC remediation sometimes required for compliance with AML/CTF obligations.

Want to know more?

Truuth Biopass supports a wide range of authentication use cases and delivers a seamless and secure user experience.  Truuth is working on support for a comprehensive ecosystem that enables passwordless across every enterprise use case.  We’re passionate about making the world a safer place by mitigating the risk of identity fraud and related cyberattacks.  And we want to make it easy for organizations of all sizes to adopt passwordless authentication, enabling the shift to a mobile and cloud-first enterprise, allowing users to work remotely, increasing productivity and driving business agility.

To assist you on that journey we’re offering a free trial of Truuth Biopass.  The trial requires no set up fees, no minimum spend, and no obligation to adopt the service.  We’re confident you will love the user experience and improved authentication security. To find out more click here.