A 2020 study conducted by NordPass unveiled that the average user has 100 passwords. That’s one hundred phrases to forget and one hundred password resets to make. For those who are less creative, they likely don’t have the best passwords and may have 100 cases of “123456.” But most importantly, it’s 100 potential threats left in the wrong hands.
Everyone’s sick of password overload. But for decades now, users have had no other option than to rely on the username and password combination to access their online accounts. Many users easily forget even their best password, which becomes a UX nightmare. Password resets cost enterprises millions of dollars to support annually, and password barriers equate to lost sales revenue. Lastly, passwords are notoriously insecure. For instance, 81% of hacking-related breaches are a result of weak or stolen passwords.
We’re all fed up with passwords. There must be a better way.
Thankfully, all this is set to change in the years to come. Password-less authentication is on the horizon, and it could finally bring us all a big sigh of relief. These methods use other means to verify the user, such as biometric identification or physical keyfobs. Even less intrusive passwordless authentication solutions involve verifying with a hardware-based access code, hiding the complexity from end-users.
I recently met with Shimrit Tzur-David, CSO and Co-Founder of password-less authentication company Secret Double Octopus. According to Tzur-David, we have the technology to implement passwordless authentication today, and it is only a matter of time before it becomes the new norm.
The Argument Against Passwords
Why go passwordless? Well, somewhat ironically, the biggest reason is that passwords, even the best passwords, pose a major security threat. The majority of company breaches are due to weak or stolen passwords. It doesn’t help that most users aren’t that original when creating their better or best passwords. The top ten most commonly used passwords include phrases like “12335,” “123456,” “qwerty,” and “password,” which are dreadfully easy to guess.
Another risk factor is human error. Users often accidentally expose passwords online. Hackers can use email scams and phishing attempts to steal credentials by having a user click a malicious link or download a corrupted file. Impressively, human error causes nearly 90% of cyberattacks. Since users are prone to misjudgment, a passwordless security solution is arguably more secure as it lessens the possibility of user error. “This is why we need to take users out of the equation,” says Tzur-David.
New Paradigm with Remote Work
Companies now hold many assets in cloud-based platforms accessed by remote workers. In this new paradigm, hackers can use compromised credentials for privilege escalation, data exfiltration, ransomware attacks, and many other attack types. The rising value of data and the distributed nature of today’s workforce is the perfect storm for a password apocalypse.
Potential Costs of Password Resets
Not only are passwords a security threat, but they are also costly to maintain. Password resets are the top reason for today’s support desk calls. Analysts estimate that each password reset costs a company anywhere from $25 to $70 to initiate. This factors in lost productivity, help desk costs, and operational overhead. The price becomes exponential, considering a user typically resets their password a few times a year. Forrester states that large companies budget $1 million a year on staffing and infrastructure to handle password rests alone.
Passwords also bar users from completing transactions. If a user can’t remember a login, they might quickly abandon a spur-of-the-moment purchase. Thus, a more seamless authentication experience could increase sales.
Alternatives to Passwords
Removing passwords, even the best passwords, altogether could improve security and user experience and also increase revenue. But if we’re not using passwords, what is the means of authentication? According to Tzur-David, passwordless authentication could utilize other forms of multi-factor authentication (MFA).
MFA involves choosing at least two out of three factors:
- First, something you know, like a password or secret phrase.
- Second, something you have, like a mobile phone, keyfob, or token.
- Third, something you are, like a fingerprint scan, retina scan, or voice recognition.
The last two factors are more user-friendly options as they can involve increased automation.
Tzur-David describes that a pin code stored locally on a device can be utilized to enable seamless authentication without the use of passwords. Leading this shift is the FIDO set of specifications, which standardize how to utilize biometric input for authentication, or FIDO security keys that are intrinsic to the device. FIDO2 specifications include the Web Authentication (WebAuthn) specification and the Client-to-Authenticator Protocol (CTAP).
“There is a clear trade-off between security and user experience,” says Tzur-David. “We need a solution that breaks that.” Many apps now use SMS to send a One-Time Password (OTP) for two-factor authentication. However, Tzur-David explains that this is not an ideal authentication method. This is because hackers can easily spoof SMS texts and redirect the messages. A safer alternative to prove a user has a mobile device is Google Authenticator.
A Hybrid Authentication Solution
The above solutions work well to bring passwordless authentication to end-user, but how does this relate to corporations? As Tzur-David explains, large conservative institutions like banks utilize many on-premise and legacy services. Thus, cloud-based authentication solutions will only serve a portion of access control requirements. “We need authentication solutions that target all these types of services,” she says. “With one weak link, all security is compromised.”
Passwordless authentication solutions in the cloud usually involve web services that support SAML, OpenID Connect, and other protocols, she says. However, on-premise enterprise systems may use Azure Active Directory (Azure AD) as their identity service. “We need to find a way to provide passwordless authentication for both those services,” she says.
When Will We Be 100% Passwordless?
There are many reasons to go passwordless. Password recall results in poor user experience; it’s nearly impossible to keep track of the hundreds of credentials we use. This causes users to repeat the same password across multiple accounts, thus widening the attack vector of a single breach.
Some strides have been made toward a passwordless experience. Apps now delegate login across tabs, and long-lived access tokens now support long-term logins. Yet, these tokens must be refreshed eventually. Many web browser users enjoy a near passwordless experience by using a password manager that automatically injects it into forms. Yet, password managers and social logins are cloud-based accounts with — you guessed it, a master password. This is not true passwordless technology, argues Tzur-David.
So, when will we go passwordless? Well, standards around passwordless multi-factor authentication are bringing us closer to this future reality. “Today, we have the technology to do so, and it’s going to be easy and quick once it happens,” says Tzur-David. It will be a journey, but she predicts we are only a couple of years away from a transition to a passwordless digital life.