Passwords are problematic. They are arguably the weakest link in security, a leading cause of breaches, and difficult to manage. Yet, on Change Your Password Day 2023, passwords remain ubiquitous.
Instead of continuously changing passwords in an attempt to stay ahead of online threats, the best solution is no passwords at all. Adopting passwordless authentication can solve the inherent problems of passwords to deliver stronger security and a better user experience.
Consider the all-too-common practice of using repeated passwords. We still live in a world where the importance of unique passwords for every account cannot be overstated. Why? If one account is compromised, bad actors can easily get into other accounts tied to the same username or email.
Poor password policies lead to poor password practices
But, the reality of poor password practices like this is that the average person has roughly 191 different logins, passwords or other credentials to manage — meaning it requires too much effort to remember, paired with an “it won’t happen to me” mentality. As a result of human nature, many people will re-use existing passwords or adopt bad practices, such as writing down passwords on sticky notes.
SEE: 8 best enterprise password managers of 2022 (TechRepublic)
People have also been coached to use passwords that meet baseline complexity requirements while still being “easy” to remember. These complexity bare minimums are often well-intentioned, but create passwords that are hard to recall.
Hackers can also guess or crack them using specialized password attack tools. In fact, NordPass published a report containing the top 200 most common passwords according to 2021 research, citing millions of individuals using the same easy-to-remember password.
To combat this tendency, some organizations push more frequent password changes on their users. But, this only compounds the problem. It increases the likelihood that users will write down their passwords, use the same password across multiple sites, forget their passwords altogether or in a truly poor experience, make the user call a help desk. It can also undermine productivity by forcing both users and administrators to dedicate more time and effort to password maintenance.
Sharing passwords is another reckless practice. It’s commonplace for consumers to share passwords — just think of the various streaming services — with their family and friends in an effort to save on costs. While this may seem harmless, sharing passwords makes it impossible for IT teams to know who is truly accessing the application and to have protections in place against non-verified individuals.
The same threats hold true when using the same username. Usernames are often common or shared publicly, meaning they have little security value. For example, someone’s social media handle could be the same username they use across different platforms and services. These redundancies make your digital footprint easier to map and exploit than if each account was unique.
A passwordless future
This is where passwordless technology and streamlined experiences come into play. Passwordless authentication generally relies on a possession factor (something you have like a mobile device) or an inherence factor (something you are like face or fingerprint biometrics) to verify user identity with greater assurance and convenience.
For consumers, passwordless improves engagement, makes logging in easy and makes the overall experience seamless and secure. This drives higher revenues because great digital experiences lead to long-term loyalty.
Consider that 46% of consumers prefer sites that offer alternatives to passwords and 53% feel better when using multi-factor authentication to sign into sites or services. Customers are already familiar with passwordless biometric logins on their smartphones. By offering passwordless authentication, businesses can not only improve customer experiences but also reduce abandonment rates and improve their bottom lines.
For employees, less time entering and resetting passwords means higher productivity and significantly less strain on help desks, which reduces costs. The security benefits are also clear: 82% of breaches involve brute force attacks or the use of lost or stolen credentials. Removing reliance on passwords provides a clear solution to better security and user experience.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Passwordless technology is readily available today, but adoption is still low. That’s because passwordless is not a single solution, but rather one that requires integrations of multiple products and technologies while providing options to users. Also, it’s not simply an IT or security decision but a key business initiative that requires buy-in from various leaders throughout an organization.
The journey to passwordless is not short, but there’s a clear roadmap to reaching that goal. Organizations should start with the basics: centralized authentication based on username and password plus intelligent MFA to provide a single sign-on experience.
Progress continues by phasing out passwords using risk services and biometrics that support continuous, adaptive authentication. The home stretch of eliminating passwords brings in the use of FIDO-certified products and trusted devices as well as identity proofing.
Paving the way to passwordless adoption
A passwordless future results in stronger security, better user experiences and greater productivity. While progress is being made, it will take some time for passwordless to reach mass adoption. Until then, it’s critical to practice good password hygiene: change passwords regularly, use a unique password for each account, leverage a password manager to help keep track and opt into MFA.
Aubrey Turner, Executive Advisor at Ping Identity, has an extensive background successfully delivering strategic, enterprise cyber security solutions to Fortune 1000 companies that addresses business problems, strengthens organizations, reduces risk and delivers positive business outcomes. Aubrey has demonstrated rapport and consensus building with key stakeholders. Additionally, he has proven leadership, communication, management, collaboration and sales skills.