The most difficult step ever is the first step. It comes with doubts, uncertainties, and all sorts of fears. If you defy all odds and take it, your confidence will replicate very fast and you’ll become a master.
― Israelmore Ayivor, Leaders’ Frontpage: Leadership Insights from 21 Martin Luther King Jr. Thoughts
Why is the first step always the hardest? Is it a resistance to change… a fear of the unknown… or perhaps a belief that the current situation is good enough? Taking the first step can be a challenge – we all know that. It requires a change in behavior… a change in attitude. Courageously committing to a new routine and perhaps a new path requires embracing the reality that a learning curve awaits you. However, we know the transformation is worth any hardships we may encounter during the journey and so we take the first step.
‘The numbers don’t lie’ – another saying we are familiar with. Statistics often uncover an amazing truth and reveal real challenges that warrant consideration and attention.
When we consider the topic of Passwords, certainly the numbers don’t lie. According to the Verizon 2020 Data Breach Investigations Report, 80% of hacking-related breaches leveraged weak and compromised passwords. SecureAuth’s 2020 State of Identity Report uncovered that 38% of management and 70% of non-management associates are not using unique passwords. And 34% of director level and up use a top 10 most common password (qwerty, abc123, Password, and the like) to access accounts. These numbers clearly tell us that relying on username and password to secure systems, data, and applications is a risky proposition.
Follow the Money
Gartner has adjusted its worldwide security spending for 2020 to decrease from $3.7T in 2019 to $3.4T in 2020. And while overall security spending is shrinking, cybersecurity spending is predicted to grow by 2.4% with 89% of all cybersecurity spending to be concentrated in five markets:
- Security Services - $64,270M
- Infrastructure Protection - $17,483M
- Network Security Equipment - $11,694M
- Identity Access Management - $10,409M
- Consumer Security Software - $6,235M
It’s clear organizations are investing IT dollars to strengthen cyber-security defenses based on Gartner’s numbers. But the real issue organizations and their IT security leaders must consider is the overwhelming and widespread acceptance of username + password as a front-line defense to protect the enterprise.
The risk to enterprise organizations is real. Ponemon Institute released results in July of a global study examining the financial impact of data breaches identifying that these incidents cost companies $3.86 million per breach on average with the US having the highest average of $8.64 million.
The report also notes that compromised employee accounts were the most expensive root cause. And that 80% of these incidents resulted in the exposure of a customers’ personally identifiable information (PII). When we consider the lackluster discipline users exhibit when it comes to securing, managing, and protecting passwords, it doesn’t make a whole lot of sense for businesses to put a hefty lock on the front door if the users’ keys are poorly hidden under the welcome mat.
The time is now for security leaders and their organizations to begin the move beyond username and password to better protect the enterprise. Digital initiatives and the work from home reality is creating the need for security leaders to adopt a new approach to secure the proverbial network perimeter. The technology is available today to enable Passwordless use cases to ramp up security and improve the user experience.
So, the numbers don’t lie… the costs of a breach continue to rise, password hygiene is poor, and cyber criminals will continue with credential stuffing, password spray attacks, and other brute force tactics to take over accounts and compromise organizations. It truly is time to take the first step and move beyond username + password.
Understanding Authentication Factors
When we were young and wanted to access the neighborhood fort or tree-house we had to know the “secret password”. Of course it wasn’t much of a secret… but we were utilizing the most basic form of an authentication factor – Something you know - to comply with the security requirement. And it didn’t matter how you came into possession of the secret phrase, if you had it… you were in. The same can be said of cyber criminals. If they have the password, they are in.
The first step of an access control program is the identification and authentication of users. Before access to any resource is granted, understanding whom is requesting access is critical. To do so three types of factors are commonly used to identify, verify and authenticate a user:
- Something you know: This is the most common factor and can be a password or a simple personal identification number (PIN).
- Something you have: This factor refers to items such a smart card or a hard (hand-held) token.
- Something you are: This factor refers to biometrics such as a fingerprint, iris scan, or voice analysis.
Each of these factors when used independently is a single factor authentication. And combining two or more factors together is known as multi-factor authentication (MFA).
Keep in mind, combing two forms of ‘something you know’ is technically considered MFA but it certainly is not as secure as combining two separate factors. For example, a user requesting access to your systems may use a smart card (something you have) with a PIN (something you know) to verify their identity and ultimately gain access to resources. In this example, it would be much more challenging for a cyber-criminal to both have the physical device and the correct response to a knowledge-based challenge than it would be for that same bad actor to gain possession of two knowledge-based challenges.
Multi-factor or 2FA is considerably stronger security than single factor authentication when the appropriate combination of factors is deployed. And based on an organization’s risk threshold attributed to different users and resources, policies can be put in place with respect to the various MFA factors to deliver the security assurance required.
Passwordless authentication is a type of multi-factor authentication that removes the need for a password to verify identity by relying on more secure authentication factors beyond the ‘something you know’ – a password. More favorable factors include the use of devices (laptops or phones), mobile authentication apps, hardware tokens, email-to-accept, or biometrics such as a fingerprint.
Why Pursue Passwordless Authentication
Passwords create challenges for users and organizations. They are expensive for organizations to manage with password resets conservatively costing organizations $70 per help desk call. According to Forrester, large organizations spend up to $1 million per year just to reset passwords. Compromised passwords are a persistent concern for organizations and are by far the number one means for bad actors to breach an organization. And for users they are simply a hinderance creating inconvenience and unnecessary friction.
Eliminating the password is good for both the business and users. Moving to passwordless authentication will strengthen security, lower costs, and improve the user experience.
Passwordless authentication continues to extend its reach with different technologies deployed to deliver secure and seamless identity verification. A number of protocols and standards are now available to leverage possession, biometric, and even knowledge-based verification factors to enable the removal of passwords (such as FIDO2 WebAuthn, multi-factor authentication, Windows Hello for Business, and mobile OTP authenticators like SecureAuth Authenticate). For organizations looking to improve security and the user experience, removing the dependency on passwords is a strategy worth pursuing.
SecureAuth views access management through the lens of security. At our core, we are a security company weaving the most comprehensive and flexible authentication capabilities into a purpose-built access management solution for our clients. We enable our customers to create unique workflows per application, per user, or per user groups providing flexibility in how organizations authenticate customers, partners, contractors, or employee identities.
Today, many of our customers are enabling passwordless authentication for various constituencies within their ecosystems to strengthen security, generate a better user experience, and enhance the overall security profile of their organizations. Read our white paper Making Passwordless Possible to identify the appropriate first step for your organization to begin your passwordless journey.
Watch our webinar: Moving Beyond Passwords