It’s time to go passwordless
22 May 2017 - The UK Government announced this month that cyber breaches are at an all-time high with just under half (46%) of all UK businesses identifying at least one breach or attack in the last 12 months. Finding a way to increase security without negatively impacting employees, partners or customers’ user experience can be a tough balancing act. Put simply, security is not on the top of users’ priority lists, especially when there is critical work to be done. Tougher password policies result in poor password hygiene (password reuse across multiple accounts, writing down passwords), password resets and increased calls to the IT help desk, all of which increase user frustration.
Passwords aren't very good at safeguarding organisations either as 81% of hacking-related breaches leveraged either stolen or weak passwords. There have been thousands of recent documented breaches of large household names, for example the LinkedIn breach where 160 million usernames and passwords were stolen. These credentials are then used to gain access to other sites and services causing further harm. No matter what the level of education and strong password policy involved, once the bad actors have a valid set of credentials they can walk in through the front door to get assets and information.
Unless something changes, 2017 will only see more of the same. Single-factor, password-based authentication – and even many traditional two-factor authentication (2FA) approaches – are evidently no longer enough in today’s increasingly digital world. A new approach to authentication must be sought.
Forward-thinking industry professionals recognise that it is time to move beyond the password. At the end of last year, we surveyed IT decision makers and found that 83% predict that their organisations will be passwordless in five years’ time. It’s not much of a surprise that millennials are leading the trend, with nearly half (49%) believing their organisation will do away with passwords, compared to only a third (32%) of 35-54 year olds. The prodigious breaches of 2015 and 2016 have had an effect – they understand the need for a paradigm shift in authentication. In fact, IT decision makers predict their organisations will be implementing physical biometrics (49%), device recognition techniques (30%), and geographic capabilities (29%). All of which are possible through adaptive authentication techniques.
This new modern approach to authentication is made possible by using something you have (such as a mobile phone), and something you are (biometric fingerprint) and layering it with risk-analysis checks. This includes techniques such as whether the device is familiar and trusted, or if an IP address is good, as well as analysis of the geographic location, plus many others. These risk-analysis checks work behind the scenes and invisibly to the user, so there is no extra step and there is no compromise to security.
As a result, the login experience doesn't have to be bad. Users no longer have to remember multiple passwords for different accounts that are 12 characters long, include an uppercase letter, numbers and symbols. Or have the additional cumbersome step to take with some two-factor authentication methods. Forcing a user to jump through additional security hoops at every login attempt is an old method that has plagued the security industry for far too long. But recent innovations in this space means organisations can strike the balance between strong security and great usability with secure passwordless authentication. Preventing the misuse of stolen credentials solves more of a business and security problem than a security problem alone.
The passwordless approach uses methods convenient to the user to authenticate, layering security checks in the form of risk-analysis that executes in the background. This both improves the user experience, reduces the calls (and cost!) at the IT helpdesk, while maintaining a strong security posture, thwarting attackers attempts and preventing the misuse of stolen credentials.
Modern approaches bring greater security to organisations and users, while not bothering authorised users unless there is a high risk score. This fundamentally new approach integrates with existing infrastructures to perform risk-analysis and identity-based threat detection that simultaneously strengthens prevention, detects threats and works invisibly to the user. Users must buy in to help companies close the front door to prevent becoming the next mega breach in the news.
Read the entire article at theCsuite here