There’s a t-shirt that reads, “My password is the last 20 digits of Pi.” It’s funny – who would ever guess that? – but every single password generator would flag that password as “weak.” There are no letters or symbols, and that would create a password without all the necessary criteria.
This is only one of a thousand reasons why people hate passwords, so when they come up with a good one, they use it again. And again. Until it becomes their default password for everything at work and for any online activities.
According to a study from Ivanti, 1 in 4 consumers use a work password (and/or work email) when accessing consumer websites, ranging from restaurant orders to dating apps. The use of work credentials for personal activities puts the company at risk of a cyberattack. The threat has grown worse with so many people working remotely, perhaps permanently, and using those same credentials for IoT and across multiple personal devices used for both work and play. In addition, the study found that a quarter of organizations do not require employees to update their password every six months, or use a one-time password generator for better password protection.
“Organizations must enforce a clear separation between apps and websites used for work and personal business,” the study stated. That includes separating the credentials used for access to each. But how?
Is Going Passwordless the Answer?
“Organizations should implement a zero-trust authentication strategy to effectively secure the everywhere workplace, and defend against several leading causes of data breaches, such as stolen credentials, password reuse and user impersonation,” said Phil Richards, chief security officer at Ivanti. As part of the zero-trust journey, Richards added, companies should eliminate passwords altogether and instead enable mobile device authentication with biometric-based access. Passwordless multi-factor authentication can provide a seamless user experience for employees and significantly reduce the risk of data breaches.
Reducing our reliance is on passwords is the right approach, Alan Krassowski, vice president of technology at Acceptto, agreed.
“Technology is available via an app on your mobile phone which becomes an authenticator that removes the need for ever showing those username and password fields on sign-in web pages in the first place,” Krassowski said in an email interview.
“Since their phone is already paired to their identity, and other environmental information can be taken into account during the process, the user is quickly authenticated without having to generate, remember or type a password ever again.”
Using IAM for Passwordless Authentication
Krassowski touched on a key point for improving the authentication path—the connection with user identity. Identity and access management (IAM) systems allow IT and security administers to assign a single, digital identity to each person accessing the network. Through IAM, users are limited as far as the databases and files they have access to, and the IAM solution designates the authentication method the user needs for authorization. Using IAM, security and IT teams can create passwordless authentication systems through the biometrics, tokens and the smartphones that most employees already have at their fingertips.
Immediately, this eliminates the risk posed by the one in four users who are using the same passwords for work and across multiple—probably dozens—of consumer sites, reducing the chance that your organization will be the victim of a data breach or other third-party risk via stolen passwords.
“When technology gets smarter, better, faster and more secure, everyone wins,” said Krassowski. “Well, everyone except the attackers – but they’re the ones we want to keep from stealing our identities and stop from messing with our systems. Thankfully, we finally have a way to stop them from stealing our passwords. Namely, by not using any.”