The Death of Passwords

Want to listen instead?

What is one necessary aspect of IT that truly annoys users?

A new study by Pindrop found that 57% of consumers are frustrated with passwords and password authentication systems. That number is even more devastating for businesses. A survey of 1,000 consumers by Beyond Identity found that 67% of online shoppers have lost interest in creating accounts on an eCommerce sites due to password requirements. Some tech giants have heard those frustrations and are making strides to bring death to passwords.

Google, Apple, and Microsoft have all announced a commitment to expand support of a passwordless sign-on system that would allow users to log in across multiple devices. But what does a passwordless future mean for cybersecurity?

Back to the Future

The idea of passwordless online identity verification is not new. Our IT experts shared that when they played World of Warcraft back in the 80s, there were WoW® Token keychains that helped safeguard accounts from hacks and breaches. Fast forward to today, when those same IT professionals shared the thought that since over 80% of breaches involve stolen passwords, why shouldn’t we as a global society explore more intelligent means of authentication?

What’s more, user-generated passwords are often lax on security. Verizon’s data breach report found that over 70% of employees reuse passwords at work, which means they are using the same password for personal and work accounts.

That means if an employee’s personal password is breached at home, where security tends to be lighter or sometimes nonexistent, there’s a higher likelihood that their work passwords will be breached as well.

Strong Passwords are Critical

The initial way around this was to create strong passwords – a combination of upper and lower case letters, numbers, and symbols that would, in theory, be more difficult for a cybercriminal to steal. This is also easy for an organization to implement since you can set password parameters on the front end. However, as previously noted, these strong passwords are difficult to remember, can be challenging to establish, and often come with the need to update them regularly – generally every 90 days.

Interestingly, the MIT professor who originated the idea of rotating passwords recently came out and said that while rotation was effective back in the day, computing power has come so far and cybercriminals can crunch numbers so fast that it’s much more important to create long passwords, rather than rotating them.

A long, memorable phrase eliminates the obstacle of forgetting it while still making it challenging to hack. In any case, password managers that store complex passwords are a wonderful alternative to having to remember multiple strong passwords.

The Death of Passwords

Unfortunately, even strong passwords often are not enough to defeat a dedicated cybercriminal. That’s why organizations like Google moved to multifactor authentication (MFA). The proximity limitation (where a site won’t let you sign in if you are out of the area) is an extension of that. The next evolution of these was biometric scanning on our phones with a thumbprint or facial recognition. Both of these create issues if you are trying to temporarily give someone else access to your account (think a spouse or a child).

The Next Best Thing is Here

Because of the issues with all of these systems, the drive to become passwordless is gaining momentum. There are variations of the process. Among the older methods is logging in with a physical chip. You insert it into your computer and that authenticates your ability to log in. Technology companies are trying to replicate that process in the virtual world.

For example, when you set up a new app, a piece of software, or a device, instead of entering a password, you’d enter a username and receive a prompt on your cell phone that says, “Here’s a code.” The authenticator then enters that code put into the site, which verifies your identity. The beauty of this for many is that it eliminates the headache of trying to memorize and store passwords. Pair that with the proximity notifiers we talked about earlier, and it’s even more secure. That’s because the app or website can assume that your cellphone that you just read the code from needs to be physically near your computer (as opposed to in the hands of a hacker halfway around the world).

That type of authentication becomes more complex in a work environment where multiple people need to access the same app or device, and many are working remotely. Of course, once you enter those variables, the danger that a hacker can use a VPN device in another country and mimic your location increases. The good thing is that as security increases, the sophistication level of the attack has to escalate as well, which eliminates many threats.

User Benefits & Behavioral-Based Authentication

There is no silver bullet for cybersecurity; these types of authentication are an improvement but they are not perfect, at the end of the day, they are user experience improvements. Users don’t have to remember passwords, they just need to have their phones on them, which most people do anyway.

The IT experts we spoke with believe the next iteration is going to be behavioral-based authentication. We’re watching behavior now, but our experts can envision monitoring software that watches the way you use your credentials. If you log in from the same device, time, and location every day, it’s probably very likely to be you. If you’re suddenly using the same device from the same location but you log in at a different time, it might be a little suspicious and ask for an MFA code. If it’s suddenly a different device and different location, even if it’s the same time, it may block access, which is fine as long as it provides a way for the user to say no, it really is me.

The large companies who are spearheading these efforts have another layer of security in that they will check the link that’s asking for the authentication. They’re not just putting the onus on users. They’re saying we’re going to watch some of these links. In the future, the hope is that each site and application would use this kind of technology and that Google, Apple, and Microsoft make it as easy as possible to share the technology.

Right now, the cost is probably going to be prohibitive for most smaller or medium-sized companies, but that may change in the future. Companies should, however, at least start having a conversation about where we need to get to for two reasons. First, when compared to the cost of a several million dollar breach, it suddenly becomes a lot more feasible and attainable. Second, cybersecurity is more than just base protection; it’s also a competitive advantage. This type of login might not be viable or available yet for many small- and medium-sized businesses, but when they are, they will make life easier for end-users, which in turn will bring more employees and customers to your business.

Need help thinking through what the next phase of user authentication means for your business? Reach out to us! We’re here to help.

This article was written from one of our Between the Bytes podcast episodes, you can find all of our episodes here!

Related Insights