A recent article in the Wall Street Journal (WSJ) points out that password-based authentication is no longer keeping us secure. To prevent password theft, modern platforms use familiar tactics such as requiring “complex” passwords that are frequently changed. Unfortunately, these cumbersome tactics backfire. Users work around them. They select passwords that are easy to remember and guess. They reuse the same passwords. And they write them on sticky notes.
Passwords: Yesterday's Solution
Why don't people follow the rules? Partly, it’s due to human nature. It's hard to remember a strong password. It's harder if you have to change it every few months. It's harder still if you have to remember dozens of passwords.
Compounding the problem is the fact that our digital life requires more and more authenticated relationships. This trend was in motion even before 2020 – and the pandemic has driven everyone online as never before.
In today's environment, passwords don't just create a negative user experience; they are also a drain on the economy. The obvious cause is cyberattacks. Stealing passwords is an easy, tempting attack vector for hackers, and the costs that are incurred to individuals and organizations as a result of these incidents are well known. But a subtler economic drain is lost opportunity. Many potential customers decide that they prefer in-person experiences after a few negative news stories or bad password experiences.
Enterprises also endure significant costs dealing with passwords. Whether it be forgotten passwords, loss productivity or disgruntled customers, passwords are a direct drain on an enterprise’s bank account.
The WSJ recommends replacing passwords with passphrases, which experts consider harder to guess. But “hard to guess” does not mean “unguessable.” Hackers have access to artificial-intelligence (AI) software, stolen credential databases and vast computing resources, so “guessing” is not the primary way hackers attack a password. Passphrases are, at best, a temporary workaround for the password problem.
The Secure Future: Abolish the Password
The real solution to the password problem is already here: Abolish the password. Passwordless authentication, often paired with biometrics such as facial and fingerprint recognition, is both more secure and easier to use. And the hardware to implement it has become inexpensive and ubiquitous.
Smartphone manufacturers rolled out passwordless authentication years ago in the name of ease-of-use. If you use facial recognition or a fingerprint to unlock your phone, you are already using passwordless authentication.
Users like passwordless authentication because it is easier and faster to use than a password, and you don't have to remember a password. Security professionals like it because it is more secure than password authentication: no password to steal. We don’t get slam dunks like this in IT security very often.
What's Holding Us Back?
With all those advantages, you might wonder why passwords are still so common. Even though the technology is available, there are challenges – more connected to human nature than to technology hurdles. Users are wary of change, regardless of the upsides, especially if they have invested time in learning to manage passwords. And people naturally worry about sharing personal information.
Organizations are also often wary of change. Enterprises run applications of many types, on premises, cloud-hosted, and software as a service (SaaS). They don’t want to create a disjointed user experience. This means all systems must transition at the same time. This requires expert management – and a big investment. No organization takes on this magnitude of change lightly.
How to Move Forward
For a successful passwordless transition, you need expert change management. The user's workflow must be well thought out, clear, and functional throughout the transition. The end result should be a better, more secure experience for all users. The learning curve needs to be smooth and short. The new workflow should be thoroughly tested across all apps and services and from all devices.
Fortunately, the required investment is vastly lower than even just a few years ago – largely because of new open standards such as Web Authentication (WebAuthN). There is no need to develop bespoke solutions for each service and platform because you can take advantage of widely adopted, mature standards.
These standards also make passwordless authentication more secure. Past implementations required systems to store biometric data on a central server. A server compromise could be profitable for hackers, and disastrous for the public. With WebAuthN, biometric data is stored in the user's local device. The only thing sent to a central server is an encrypted key. When paired with biometric sensors or high-quality cameras, this creates a powerful, self-contained passwordless authentication device. For a hacker, breaking into a single user's device is too difficult and not worth the effort.
As the WSJ article shows, password-based authentication can no longer meet the needs of the twenty-first century economy; and that fact has become an area of interest outside of the IT security community. That awareness is spreading. True data security will become more and more elusive until we get rid of user-managed passwords.
Customers will like passwordless authentication. Enterprises will benefit from the increased security and reduced costs of not having to manage passwords. Even though it requires a shift in mindset for both enterprises and consumers, the return on investment (ROI) is high. Passwordless authentication can increase customer satisfaction and retention, and prevent cybersecurity disasters.
Click here to learn about ForgeRock’s passwordless authentication technology.