Are Passwords Now Passé?
Originated at the Massachusetts Institute of Technology in 1961, passwords have long been a central component of digital security. But in the nearly 60 years since they were first implemented as a standard safeguard, technological advancements and societal changes have exposed this once-stalwart defense mechanism‘s vulnerabilities.
In the decades since passwords were introduced amid the advent of the internet, network systems and the data on them have increased exponentially. More recently, cloud technology has made vast amounts of data accessible from almost anywhere, further expanding our ability to store and share data but also greatly increasing attack surfaces. Meanwhile, the number and size of breaches faced daily by organizations worldwide continue to draw both the business industry’s attention and anxiety.
In its “2018 End-of-the-Year Data Breach Report,” the Identity Theft Resource Center categorized more than a thousand publically reported data breaches resulting in hundreds of millions of records exposed. Leading both of these statistics was the business sector, accounting for more than half of all breaches and the disclosure of more than 415 million documents. People’s tendency to reuse passwords across personal and business accounts contributes to the frequency of these breaches. Verizon’s “2019 Data Breach Investigations Report” confirmed that 80% of hacking-related breaches exploited compromised and weak credentials while nearly 30% of all breaches of any attack type involved the use of stolen credentials. Many organizations have adopted two-factor (2FA) and multi-factor (MFA) authentication, in addition to the standard login credentials, to deter credential theft, requiring users to answer security questions or delivering a code or one-time password via a security token, mobile phone or email to authorize access. These measures can help boost security but are running up against a rising workforce that that doesn’t always seem to value it.
According to media research firm Magid, nearly 35% of millennials share passwords with one another, particularly for streaming services. Post-millennials, individuals 21 and younger, share passwords at an even higher rate of 42%. While some of this sharing is intentional, it also often may stem from simple mistakes, such as individuals saving credentials on a browser other than their own. While over time this may become a potentially expensive problem in the form of lost subscription revenue for streaming services, it presents an even bigger issue for businesses, with data showing 27% of Americans use the same password for most—if not all—of their accounts. That number jumps to 40% for individuals aged 18 to 34. Given that many users rarely or sometimes never change their passwords unless explicitly prompted, being compromised once can lead to being compromised everywhere.
With data breaches on the rise and so frequently in the news, organizations and consumers alike have recognized that even the most complex and routinely changed passwords do not equal unassailable protection. While multi-factor security mechanisms aim to frustrate attackers by relying on more than simple username/password combinations and creating more hurdles to overcome, they remain susceptible to hijacking. A determined cyberthief using creative social engineering and phishing methods, or able to exploit technical gaps between authentication platforms, can bypass typical 2FA and MFA technology. And while these augmented verification methods aim to improve security assurances, they nevertheless depend on usernames and passwords as the first security factor. Removing passwords (and other knowledge-based authentication) and using factors such as a mobile device (“something you have”) with biometrics (“something you are”) can deliver a much more usable multi-factor authentication (MFA) experience, one that eliminates the weakest and most commonly abused link.
We’re well past the point where passwords alone can reliably prove a user’s identity. While at one time they may have been enough to authenticate individuals in the internet’s earliest days, it’s time for a more advanced formula that takes into account a world of increasing digital complexity, mobility, and data, along with human tendencies toward simplicity and convenience. The benefits of going “passwordless” are dramatic: Passwordless authentication means there are no words or phrases for users to create or remember. Also, no passwords means there are no passwords at risk of being exposed in phishing attacks on inboxes or breaches of back-end databases to phishing attacks and data breaches. Removing brittle passwords also slashes cybercriminals’ ammunition supply for automated credential-stuffing attacks and IT help desk calls.
The stakes of proving whether someone behind a keyboard or touchscreen really is who they claim to be have never been greater and will only escalate further as the fortunes of a 5G mobile world come into focus. With greater risk comes adaptation, meaning it’s time to set passwords on a glide path to retirement and begin deploying newer security controls capable of backstopping, and then replacing them—and their inherent weaknesses—entirely. A no passwords approach can better protect digital identities and the sensitive assets attached to them. After all, threat actors can’t exploit what doesn’t exist.