Security via Passwords: Will it soon be a thing of the past?
Denis Bajet | ROOMDEX
When used correctly, passwords are an extremely simple and effective way to protect data and IT systems from unauthorized access. However, creating a complex password, never mind remembering it, is difficult. How many times have you clicked on the “forgotten password” link? Or worse still, come back from annual leave and have to email the help desk at work to get a new password. We all use passwords constantly and hate having to remember them all.
The struggle is real
And there are a lot of them to remember. According to the research by the password manager NordPass, an average person has 70-80 passwords. 80 passwords is a lot of information to memorize. Ideally, you should have a different password for every site and system you access. However, because we have so many of the damn things, people use overly simple passwords or just a few across multiple accounts. A report by Verizon found that 59% of people reuse their passwords everywhere. Easy? Yes. Secure? No way.
The weakest link in your organization
Passwords are paradoxical. They require employees to produce a string of characters that is secure enough to protect an account, yet simple enough to remember for next time. Inevitably, employees forget their passwords and contact IT to reset them. This process can prove lengthy and cause utter frustration for both the IT department and employee.
As a result over 70%(!) of employees reuse passwords at work with 25% of employees using the same password in ALL login credentials. Password policies to prevent reuse of passwords or requiring new passwords every 3 months, are usually a distraction and generate more frustration and support work, than security benefits. Lastly password managers are a great hacking target, so not ideal either.
Poor habits such as weak passwords and credentials sharing weaken a company’s overall security posture and exposes them to significant risks. According to Verizon Data Breach Investigations Report, poor passwords account for a whopping 81% of all security breaches. The financial repercussions for a business can be huge to both the company’s reputation and even its share value. It’s estimated that the average cost of a data breach is $240,000 for every 1,000 records compromised.
While they are a critical first line of defense against hackers, properly managing user credentials, passwords, secrets, or sessions require tremendous amount of resources. Forrester Research estimates large organizations spend up to $1 million per year on staffing and infrastructure to reset passwords. Not only are easy-to-guess and reused legacy passwords vulnerable to a wide range of attacks but by themselves, they do not provide proper security for sensitive systems and confidential information. Fortunately, there’s a better way to protect your applications. Go passwordless.
What does Passwordless mean?
Yes, you heard right, passwordless. Passwordless authentication combines the security of 2 factor authentication without requiring the 2-factor process. It essentially swaps the use of a traditional password with more secure factors. These extra-security methods may include a magic link, fingerprint, PIN, or a secret token delivered via the users company email address.
Passwordless authentication, by its nature, eliminates the problem of using weak passwords and therefore is safer and more secure. It offers numerous benefits to users and organizations. For users, it removes the need to remember or type passwords, leading to better user and customer experience. For organizations, passwordless authentication requires less maintenance. While a company can still control user access from one place there is no longer the need for integration with LDAP or Active directory. If a employee leaves, as soon as his/her company email access is disabled, access to passwordless applications is immediately prevented. There’s no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.
By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.” While it’s may not always be possible to completely eliminate passwords from legacy implementations, applying easy-to-use, passwordless authentication into applications has become simple and cost effective allowing businesses to replace passwords with more secure alternatives.