Considering a World Without Passwords
Every time we sign up at a new website, we have to come up with a unique password. But let’s face it: You probably don’t use more than three unique passwords across the web, you forget to change them regularly and you sign up with the same email address every time. Hackers realize this, and they are exploiting the weaknesses of passwords as both behavior and technology.
But as entrenched as usernames and passwords are in our lives, is it even possible to do anything about it? Let’s dive into the overwhelming problem that impacts everyone and what can be done to solve it.
Password Problems
They’re cumbersome, yet everywhere. If you struggle with remembering passwords, you’re not alone. For example, as if the Hawaii false missile alert wasn’t embarrassing enough already, Hawaii’s governor admitted he was delayed 15 minutes in posting a “false alarm” tweet because he forgot his Twitter password. He was informed of the erroneous missile notification two minutes after it was pushed out, but he did not tweet it was a false alarm until 20 minutes later.
Most of us don’t have the emotional wellbeing of a state’s worth of people riding on our recall ability, but it’s still difficult to manage all those passwords. That’s why we often don’t remember and rarely change them. And it’s why we tend to create short but sweet passwords. These are dangerous, though, because attackers use brute force and other hacking methods to crack them. And once a particular website is compromised, if that password is reused elsewhere, you’re even more vulnerable. This leads to such databases on the Dark Web and helps explains the fact that stolen or weak passwords account for 81% of data breaches.
We could go on—writing them on sticky notes, victims of phishing—but the bottom line is that we are relying on decades-old technology doing something it was never meant to do: protect the most sensitive information out there.
Further, there are operational costs associated with passwords. Many companies still have to rely on manual resets, which means every time a password is forgotten, valuable operational time and dollars are at stake.
Multifactor Is Not Enough
Behavior change is difficult for individuals, and even more so for organizations. However, looking for legitimate alternatives to passwords is the only way to move forward. As alternatives such as biometrics become more advanced, businesses and consumers will begin to move beyond secret-based approaches and embrace a new future of identity management.
Multifactor authentication (MFA) has been around for years and is explained by Alissa Knight, senior analyst of Aite Group:
“First, there were just usernames. Then came usernames and passwords. Then came MFA, which requires something you know, such as a username and password; something you have, such as a one-time password token; or something you are, such as biometrics using your fingerprint or a retina scan.”
Some people feel that MFA is the answer to all of their authentication woes. And yes, some MFA solutions function well, but frustrations can remain. Sometimes we’re not in a place where we can receive an SMS, for example. And technically speaking, MFA often relies on shared secrets (such as one-time PINs), which share some of the same vulnerabilities.
Is MFA better than just a password? Definitely.
Is it going to fix everything wrong with shared secret authentication? No.
The Path to Life Without Passwords
With passwords as the main source of breaches and alternatives readily available, it’s time to make the shift. Here are three ways to begin:
- For the transition away from passwords to be successful, behavior change has to be enterprisewide. Let your employees know that there is an option that’s both more secure and more convenient, and they’ll offer you less resistance to change. Yes, they can finally stop getting the pop-up message that it’s time to rotate their password again. (And we all know that you use the same one you did before, while just changing the last digit to the next sequential number).
- The FIDO (Fast Identity Online) Alliance has created protocols that enable alternatives that are both more convenient and more secure. Based on free and open standards, FIDO authentication enables password-only logins to be replaced with secure and fast login experiences across websites and applications. The FIDO protocols use standard public key cryptography techniques to provide stronger authentication and keep all personally identifiable information on the user’s device. Importantly, unlike passwords, they are not a “scalable” attack. There is no database of FIDO credentials on the Dark Web. And you can’t phish someone who is properly using FIDO for authentication.
- Think practically about how to incorporate more modern means of authentication into existing ways of doing business. For example, if you have applications that you and your company can’t modify, consider a single sign-on gateway that uses FIDO protocols to protect access to those websites and applications. You don’t have to design everything from scratch; you do need to think about the current ways of doing things and how to augment that with stronger technology.
Conclusion
Passwords served an important purpose for many years, but times and circumstances have changed. With millions of passwords available for sale on the Dark Web and given the seemingly incurable poor password hygiene practiced by most people, it’s time for a better solution. MFA, though a step in the right direction, is also not enough. FIDO protocols offer safe, speedy login experiences that can lead to a truly safer and password-free world.
