Back in 2004, during the RSA Security Conference, Bill Gates—then CEO of Microsoft—predicted the demise of passwords. “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
While Gates’ general observations were true, it seems like password usage has actually increased and the issues with passwords continues. While passwords provide some level of user authentication and security, they are easily compromised. Exercising an effective authentication policy relies on two important factors: security and user experience. When an organization focuses solely on strong security, their security program is doomed to fail. Users will always find work arounds to circumvent any security policy, however strict it is. On the other hand, focusing only on user experience is a recipe for disaster.
Passwords still proliferate because they consist of a relatively easy authentication solution. They are cheap and they don’t require special skills to be created. But they should never be the only means of authenticating users.
Passwords are Bad for your Security!
According to Verizon’s Data Breach Investigations Report, 81% of hacking-related breaches were a result of weak, stolen or reused passwords. Threats like man in the middle attacks and man-in-the-browser attacks take advantage of users by mimicking a login screen and encouraging the user to enter their passwords. It’s even more unsafe in the cloud. Login pages hosted in the cloud are completely exposed, thus enabling a bad actor to carry out phishing or brute force attacks against publicly known login pages like outlook.com. Not surprisingly, the Thales 2020 Access Management Index-Europe and Middle East Edition shows that only 29% of businesses rate passwords as an effective means of protecting their IT infrastructure.
To combat this weakness, organizations revert to strong password policies, requiring employees to have passwords that are complex—long jumbles of random characters that don’t even attempt to emulate an actual word—and that every password for every account must be unique. That is a very high bar to ask people to meet. So long user experience.
Policy-driven password strengths and rotation leads to password fatigue, thereby contributing to poor password management. Verizon’s Data Breach Investigation Report indicates that over 70% of employees reuse passwords for work and personal accounts. A malicious actor could therefore abuse an employee’s credentials to access other applications and sensitive customer information.
People also tend to pick easy-to-hack passwords because of the trouble they have with remembering passwords. An analysis of over five million leaked passwords showed that 10% of people used one of the 25 worst passwords. Seven percent of enterprise users had extremely weak passwords.
If you couple the above password risks and vulnerabilities with the inherent human bias of being unable to evaluate a threat outside our physical world, unless we have already been the victims of a malicious activity, then it is easy to understand that it takes more than a World Password Day to have effective authentication habits.
Get Rid of Passwords, Embrace Passwordless Authentication
To every problem there is a solution, and luckily technology has progressed enough to allow us not to rely on passwords. It is time for a strong authentication solution that meets the increased security demands of the modern business. According to the Thales 2020 Access Management Index-Europe and Middle East Edition, 96% believe strong authentication and access management solutions can facilitate secure cloud adoption, and another 70% plan to utilize passwordless authentication methods. Simply put, the time has come for passwordless authentication.
Passwordless authentication replaces passwords with other methods of identity validation, improving the levels of assurance and convenience. This type of authentication has gained traction because of its significant benefits in easing the login experience for users and overcoming the inherent vulnerabilities of text-based passwords. These advantages include less friction, a greater level of security that’s offered for each application and—best of all—the elimination of the legacy password.
There are various layers of passwordless authentication that offer increasing levels of security. Implementation of a specific model depends on the level of identity, authentication and federation an enterprise wishes to apply based on the business and security risks and the sensitivity of the data to be protected.
In fact, Gartner is predicting that 60% of large and global enterprises along with 90% of midsize employees will implement passwordless authentication methods in 50% of cases by 2022. This change will mark an increase from fewer than five percent today.
Happy Passwordless Day!
To answer the headline question…no, we should not eliminate Password Day. Yes, we should rename it to World Passwordless Day to encourage people and organizations to abandon weak and bad passwords and, instead, embrace adaptive, passwordless authentication mechanisms compatible with the perimeter-less nature of modern business.
If you want to learn more about how giving up passwords might make you more secure, learn more about Passwordless Authentication.
Danna Bethlehem Coronel
Director Product Marketing Identity and Access Management (IAM)