Another year, another 12 months full of data breaches. According to a report from Risk Based Security (RBS), although the number of publicly reported breach events decreased by 48% in 2020, the total number of records compromised increased by 141%.
Although these figures are not solely down to the endurance of the age-old username and password model, it is undoubtedly still a huge contributing factor. In fact, further research has shown that 71% of hacks today aren’t really hacks, but simply bad actors logging in with valid user credentials they’ve obtained elsewhere.
While some are still arguing that the traditional password can provide adequate security if used correctly, this train of thought is wearing thin and fails to acknowledge an insurmountable challenge that has been clear for some time: passwords are just not taken seriously enough to work. Credentials are supposed to be the gates that protect the castle. Yet password reuse is still rife, while internet users still too often opt for easy-to-crack passwords, as evidenced by ‘123456’ topping the charts for the most common password used in 2020.
The response to the fading protection that passwords afford us has been to add more layers to the process, such as asking users to enter a one-time passcode sent to ‘something they have’ like a mobile phone. But two factor authentication (2FA) arguably makes an already cumbersome user experience even worse. What happens if you’re trying to log in to a work platform to meet a deadline while you’re out of the office and your phone runs out of battery? Perhaps this is why our own research shows that just 25% of respondents said they regularly enable 2FA when it’s an option.
So, if adding an extra layer doesn’t fit the bill, what does? Passwordless authentication has always proven to be more efficient, effective and secure, as well as striking the right balance between user experience and security. However, the perception of high cost and complicated implementations has stalled many from ditching passwords completely.
But this is no longer the case. Passwordless alternatives are now far more affordable, easy to implement and safe, particularly through the emergence of cloud-based SaaS (Software-as-a-Service) deployments that remove the complexity of deploying costly IT projects in one fell swoop.
For example, using a multi-factor authentication (MFA) cloud service based on biometrics means that, rather than asking users to remember a password, biometric identifiers such as a voice and face print can be stored so users can be authenticated on any device they’re logging in from. By combining the biometric check with additional ‘silent’ factors, all a user needs to do is present their face to log in.
From a security standpoint, user credentials can’t be lost, stolen or shared when they are your own face and voice patterns – the legitimate user must actually be present to log in. From a cost standpoint, it means organizations of any size and sector can now deploy and scale a passwordless authentication solution quickly and cost-effectively.
The key question, however, is whether enterprises, CIOs and IT leaders will recognize this and finally acknowledge the overwhelming benefits of going passwordless. It would be far too unrealistic and naïve of me to say that passwords will completely disappear and passwordless solutions will immediately take their place, particularly when it comes to overhauling legacy infrastructure. However, I believe that the past year has seen multiple factors click into place for an acceleration of our passwordless future over the next few years, if not the next 12 months.
Firstly, we are seeing some of the world’s biggest and renowned tech companies adopting, deploying and investing in passwordless technologies. Most recently, Microsoft completed the acquisition of Nuance, a company that has been offering a passwordless security system that relies on your voice to authenticate sign-ins.
Secondly, as consumers, individuals, employees and humans, we are all getting used to using passwordless technologies in our daily lives and routines. This could be using your face to log into your phone or your fingerprint to authorize a transaction, just to name a few. In fact, a recent survey found that 62% of organizations have increased the deployment of technology supporting remote onboarding and authentication since COVID-19.
Adding to this mix are dramatic changes to the workplace and associated security strategies. For example, 60% of organizations have accelerated their Zero Trust projects during the pandemic to ensure that the right people have the correct access level to the right resources, all the while ensuring a seamless user experience. Yet, as we move towards a more permanent hybrid and decentralized working environment, many organizations will have to rethink and reassess how they enable employees and other users to access sensitive networks and information, irrespective of their location, network or device, while still maintaining the highest grades of security.
Coupling these three factors against the backdrop of a huge rise in cyber-attacks that seem to involve the misuse of passwords, I think we may finally see greater recognition that waving goodbye to passwords is the best password of all this year.