Why are we still using passwords?

Most of us have experienced frustration with passwords.  In fact, a lot of us experience that frustration on a daily basis!  We’re told that we need to use more complex and stringent characters to secure our passwords but then we face the challenge of remembering them.  Some people use password managers to address this problem, but this comes with risk – there have been some notable data breaches of password manager services.  The magnitude of the problem is highlighted by the following statistics:

• 90% of internet users are worried about getting their passwords hacked
• 53% of people rely on their memory to manage passwords
• 51% of people use the same passwords for both work and personal accounts
• The password “123456” is still used by 23 million account holders
• 33% of account-compromise victims have stopped doing business with companies and websites that leaked their credentials
• 59% of Americans use a person’s name or a family member’s birthday as a password
• 60% of people have had their identities hacked, passwords compromised, or sensitive information breached because of duplicate and outdated passwords
• 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords

Given the significant user experience and security issues associated with passwords, many enterprises and consumers are asking the obvious question – when can we leave passwords behind?

Can I go completely passwordless?

Many consumers are embracing biometrics as an alternative to passwords, and this trend has accelerated during the Covid-19 pandemic.

The Biometric Survey 2021, jointly carried out by Goode Intelligence and ID R&D found that 55 percent of respondents worked in companies that are currently using biometrics, with 69 percent of them using the technology for authentication, 75 percent using it for identity verification, and 31 percent using biometrics for fraud detection.  Moreover, 73 percent of respondents described biometric tools as beneficial to user experience and increased security. Nearly half (45 percent) had increased the use of biometrics directly due to COVID-19.

While businesses are migrating to biometrics for verifying and authenticating their users, there are still many use cases and applications that require ‘old school’ authentication.  So, for the vast majority of us passwords will continue to be a daily hassle until biometric authentication is ubiquitous across all enterprise and consumer applications.

To achieve a passwordless future, many of the biggest tech companies on the planet are collaborating under the auspices of the FIDO Alliance. As each year goes by you will see an ever increasing range of devices and applications that will enable passwordless authentication.  

However, it’s important to remember that there are still security risks when you’re using biometric authentication.  If you’re using hardware biometric sensors on your mobile phone for authentication you need to realize that multiple people can have their biometrics enrolled on that device.  Similarly, if you’re using face ID it’s important to ensure that a test of user ‘liveness’ is included in each authentication to mitigate the risk of ‘presentation attacks’ in which fraudsters try to authenticate with a picture, video, mask, or deep fake of the real user. 

This is why our mission at truuth is to verify the identity of the human behind the device. 

The journey to passwordless authentication

Many organizations are not yet ready to fully embrace passwordless authentication.  They need a roadmap that enables them to take a phased approach, with each step taking them closer to a fully passwordless future without the risk of substantial tech debt.  We recommend the following approach to phased deployment.

Step 1 – Identify use cases where passwordless authentication will immediately add value

Some authentication use cases are more critical than others. It’s important to reduce reliance on passwords and lower the risk of credential theft for use cases that have significant security and compliance risks.  Examples include replacing admin passwords (yes, the IT team may still be sharing the admin password!), authenticating users to access secure physical sites (eg. data centres), and authenticating users for access to enterprise applications that have sensitive data (eg. enterprise IP contained in Confluence).  Applying Truuth Biopass as an MFA solution for these use cases will lower the risk of credential theft by requiring a second method of identity verification that cannot be easily stolen remotely by an attacker.

Step 2 – Minimize passwords for cloud and hosted apps

Reducing dependence on password authentication for cloud and hosted apps can be achieved by using SSO for SAML-based applications.  With MFA in place and a consolidated login experience, you can change password policies that require complex characters, as well as policies around password reset frequency. This will reduce user frustration with password security and reduces your reliance on password complexity as your primary authentication.

Step 3 – Adopt risk-based policies

Authentication security risks can be mitigated by adopting different authentication flows depending on the context of the user’s authentication. Is the authentication coming from a trusted device? Is the device in an expected location?  Does the authenticating device’s security posture meet the organization’s security standards?  Does the authentication use case involve a high level of risk (eg. substantial transfer of funds)?  These contextual factors should determine the risk assigned a specific authentication request and also determine the authentication user flow that will deliver the appropriate level of confidence in the identity of the user.

Step 4 – Deploy trials of passwordless authentication

Trials of passwordless authentication are helpful to estimate the impact on user experience, cost, and security. For example, consider using passwordless authentication to securely log on to your SSO solution. In this way, all of the applications federated behind the solution receive the benefit of passwordless. You can choose passwordless authenticators with built-in biometrics, invest in security keys that support FIDO2, or step up to multi-biometric authentication.

Step 5 – Define milestones to achieve a full passwordless environment

The path to passwordless is typically a phased approach to selecting and migrating applications and user groups to a streamlined and secure authentication experience.  You can start by implementing a consistent MFA experience across cloud-based apps. Achieving passwordless authentication for all use cases requires migration of legacy tools using older protocols along with cloud-based applications.  Passwordless will eventually eliminate your need to rely on passwords for any login workflow, either behind the scenes or throughout your users’ experiences.