Author: Stephen Cox, VP and Chief Security Architect at SecureAuth, and Forbes Technology Council Member
Get ready to add the password to a list that includes overhead projectors, audio cassettes, answering machines and pagers — once indispensable technologies that are now extinct. Rob Lefferts, Microsoft’s corporate vice president for security and compliance wrote as much in a September blog post: “We are declaring an end to the era of passwords.”
Password logins aren’t quite dead yet, but recent studies indicate they are in an irreversible decline throughout the mainstream and enterprise worlds. In fact, a study my company commissioned in conjunction with Wakefield Research discovered that 69% of IT decision makers are certain that passwords will not exist in their organizations within five years.
Data breaches via compromised passwords continue to be an epidemic
The same Wakefield Study revealed that 90% of respondents have experienced the effects of a data breach resulting from a compromised password. This includes being locked out of an account, unauthorized financial transactions, and the theft of personal information and other sensitive data.
Examples are constant and only increasing in frequency:
• Hackers breached Under Armour’s MyFitnessPal app in late February 2018, compromising approximately 150 million usernames, email addresses and passwords.
• In March 2019, Facebook said up to 600 million passwords were stored in a readable format within its internal data storage systems.
• At least two health care organizations, Catawba Valley Medical Center(North Carolina) and the Minnesota Department of Human Services, were breached by a total of five phishing attacks in October 2018. Healthcare IT News has been diligently documenting the epidemic of cyberattacks in the health care sector.
• Quora, the crowd-sourcing Q&A website, announced in early December 2018 that email addresses, encrypted passwords and data imported from linked networks of approximately 100 million users may have been compromised by a “malicious third party” who gained unauthorized access to its systems.
Meanwhile, approximately 1.4 billion previously exposed passwords are freely available to anyone with access to a torrent site — not just the dark web. At Pwned Passwords, a service provided by Have I Been Pwned, you can see if your passwords are among the more than 500 billion that have been exposed in previous data breaches.
The Problem(s) With Passwords
Simply put, password-only protection and even basic two-factor authentication (2FA) are no longer enough to protect networks, systems and data. When passwords are compromised or discovered, an enterprise is susceptible to attackers simply walking through the front door. Attackers will gain access to establish a foothold, escalate their privileges and move to complete their mission: compromise and steal assets at the cost of financial damage, lost business and injury to reputation.
Even if passwords aren’t stolen, they are still a risk due to human error. It is perhaps no surprise, then, that the 2018 Verizon Data Breach Investigations Report named compromised credentials as one of the biggest causes for data breaches. Also important to note:
• Passwords are the source of 81% of data breaches.
• The average American’s email address is associated with 130 accounts.
• Roughly 7 in 10 accounts are guarded by duplicate passwords — that number rises to nine accounts for millennials.
• Forty percent of helpdesk calls are password-related.
• “123456789” and “password” are still the most popular password choices.
User frustration can lead to weakened security best practices and poor password management, resulting in enterprise vulnerability. Calls to the IT help desk in large organizations can be extremely costly, with help desk labor and user productivity adding an administrative burden. Even password-reset questions are easily overcome by attackers as knowledge-based answers, which are also often reused across multiple accounts, have been compromised in past breaches.
The horse-and-buggy was once an urban transportation necessity. Floppy disks were once a file-transfer necessity. Passwords are no longer an authentication necessity. In fact, they represent a threat to the safety of our data and personal information, a burden, and a great cost to organizations. In a passwordless world, there’s no need to remember passwords, make them more complex or constantly change them.
So, how can businesses determine a legitimate user from an attacker without passwords? And how would such a process work?
Passwordless authentication is achieved by replacing passwords with any number of advanced authentication methods combined with risk-based analysis. It combines authentication methods: a biometric (something you are), a mobile app (something you have) and multilayered risk analysis such as device recognition, IP reputation and behavior analytics. This risk analysis is largely invisible to the authenticating user, meaning maximized security is conducted without having to interfere with the user experience.
A Successful Passwordless Future
Infrastructures of organizations are complex, and while removing passwords for even a portion of a business can improve security and usability, it may not be for all enterprises. The main issue hindering widespread adoption is the age-old problem of how to change deep-seated user behaviors. Moving to alternative methods of authentication after decades of reliance on the password can be daunting and will take time.
To get started, organizations should consider the specific needs of the users that will engage with the solution and have an understanding of the systems and environments they want to protect. They will want to tailor workflows to their different user types and unique environments, which requires thinking about which authentication methods are to be used and what level of risk they are willing to tolerate. Once a strategy is in place, developing an employee training program will aid widespread adoption and position passwordless as something to be celebrated rather than reviled.
Organizations that are keen to keep the password should add additional layers of security such as strong multifactor and adaptive authentication, at the very least. Modern authentication techniques that analyze real-time metadata — such as device recognition, geolocation analysis, IP reputation and behavior analysis — will help render stolen credentials useless. It is important to realize that a password-only solution is not a secure or viable option.
With passwordless authentication, forward-thinking organizations can eliminate credential-related breaches. It doesn’t impede productivity and, when combined with single sign-on capabilities, it keeps users happy.
This article originally appeared on Forbes on June 7th 2019