Microsoft’s announcement last month that users of Office and other company software can now create passwordless login scenarios was welcome news. I think I speak for the entire computer-using world when I say this is just great.
Passwords are the bane of our existence. They really give the worst user experience of all. I’ve worked with systems that will prompt you that it’s time to change your password, which means I have to find the paper or computer file that has all my passwords and change it on that list. Then, of course, I have to remember that I changed the password. (I’m reminded when I log in with what I thought were the actual credentials but get the message back that says, “Your user name or password doesn’t match the information we have on file.”)
Some people use password managers in the cloud to save their credentials, but as we know, those managers can be hacked as well. Meanwhile, a May report by SecureAuth found that 53% of people use the same password for multiple accounts, making successful breaches even more dangerous.
And of those, the most used passwords remain: “123456” and “password.” Next in popularity are “12345678” and “qwerty.” Could we make it any easier for ne’er-do-wells to gain access to our companies’ data?
In a recent article, Aviad Mizrachi, co-founder and CTO of Frontegg, makers of a user management platform for modern applications, noted that the more you ratchet up security in your applications, the worse the user experience gets. This is a conundrum in the industry. “This means that we probably want to enforce some password complexity rules for our customers to enhance security levels. Needless to say, this adds more friction into the signup and login processes, while reducing customer satisfaction,” Mizrachi noted.
In short, passwords are both poor for users and great for hackers. In fact more than half of companies polled said they have implemented alternatives to passwords, according to a recent report, “2021 The State of Password Security,” by Cybersecurity Insiders and HYPR.
The report found that 64% cite user experience as a top reason for going passwordless, with 73% of respondents stating that a mobile-first passwordless multi-factor authentication (MFA) solution is preferred over traditional factors, such as passwords, push-based MFA, or hardware tokens.
On the security side, stopping credential-based attacks is the number one reason people say passwordless MFA is important, with 91% of respondents saying it is the primary reason. Yet, in a related finding, organizations using passwordless MFA can require an underlying password, such as a code sent to a mobile device that must be input into the computer to gain access. Of respondents to the Cybersecurity Insiders survey, 61% said their ‘passwordless’ MFA solution requires either a shared secret, a one-time password or an SMS code, even as 96% of respondents consider eliminating shared secrets for authentication as “essential” (44%) or “somewhat important” (52%).
And we haven’t yet touched on the amount of time spent by service desk personnel related to password issues. According to another recent report, the estimated cost of productivity per enterprise is on average $5.2 million annually.
According to Mizrachi, “It’s pretty clear that the future belongs to passwordless. With more and more services and platforms becoming digitalized, the password authentication model is simply not practical anymore. Embracing the passwordless trend and implementing it as a default option in self-served and multi-tenant offerings (think user management) is no longer an option. The future belongs to passwordless.”
There are numerous passwordless solutions coming to market, including facial recognition, voice, fingerprint and security keys, according to the FIDO Alliance, which creates free and open standards for authentication.
In fact, of respondents to the Cybersecurity Insiders study, 36% said they are using their smartphones as a FIDO token for passwordless authentication. And, 73% said smartphones provide the most convenient method of MFA, while 17% said built-in authenticators, such as TouchID and Windows Hello, are most convenient.
For me, the best solution I’ve experienced is the fingerprint. I access my MacBook Pro using Touch ID fingerprint scans, and I can do just about any bank transaction I want on my cellphone by accessing my account with just my fingerprint. It’s quick, and never fails.
All I have to do is remember which finger I used.