Here is a riddle: Creating new accounts means creating new passwords. To be secure, these passwords should be complex and unique. For security reasons, you should not write down your passwords. This situation means people are left with several ways to manage passwords:
The current state of passwords according to researchers is bleak. The average person has over 90 accounts and related passwords. 51% of passwords are re-used on multiple accounts. 80% of data breaches are due to stolen or weak credentials. Resetting a password takes time and money for both the person resetting and the company. The average labor cost for a helpdesk on a password reset is $70.
There is some hope for a better password experience however. A coalition of companies is developing standards for easier login. Users now have passwords management tool. Employers are also working to make authentication easier and more secure.
Companies: New Protocols for Accounts
Website and application developers need to make sure the right people use their service. Every time you use a secure service, authentication must take place. Traditionally, a developer would devise an authentication scheme that required a password and checked the entry against the record.
FIDO is an alliance of technology companies that advocate for faster, easier-to-use and more secure passwords. FIDO stands for Fast Identity (ID) Online. Technology giants like Microsoft and Google are members of the alliance, along with companies like Mastercard and PayPal.
The output of the FIDO alliance is a protocol that can be used by the industry. The technical standards created are shared among members and beyond. The protocol includes technical elements needed for secure password usage for a yearly fee.
These use cases for the new protocol can be used in areas that make passwords less pesky:
- Biometrics: Use your face, fingerprint or other unique characteristic to login.
- Two-Factor Identification: A smart phone or token that is always readily-accessible can be used to authenticate.
The combined usage of tokens, multi-factor authentication and biometrics makes access more secure. The security of the systems corresponds to different authentication levels. Perhaps one day, passwords and access will be efficient by design in every instance.
Users: Relief in Password Managers
A future where every account login screen and authentication is handled according to modern best practices is far off. There is hope for users however. Another way of tackling the password problem is by making your own password storage system more secure. Password manager services like LastPass require a one-time authentication and then securely store your passwords. Open source applications like KeePass provide a similar service. Google has a built-in password manager in Chrome as well.
Yubikey takes password managers to another level with a physical device. The device stores and generates password and provides two-factor authentication. The YubiKey is compatible with FIDO as well. Password storage companies are working together on common standards like FIDO.
Employers are also turning to password managers and new systems for their employees to use passwords. A popular system for handling credentials securely is single sign-on. A user can login once and get access to a set of services.
Password security is a major risk for companies. A single compromised password can mean immense damage. Internally, password resets also take up many hours of helpdesk support. In combination with other best practices in authentication, new tools can be better for both the employee and the company.
Take an assessment of your password security, along with other cyber security best practices:
When LastPass was aquired by LogMeIn in 2017, it had over 7 million users. The masses can hope for a more secure future from either companies requiring the passwords, companies providing services or a combination of both.
*** This is a Security Bloggers Network syndicated blog from Cipher Blog - English authored by Bill Bowman. Read the original post at: http://blog.cipher.com/hope-for-better-password-experience