Passwords have been the cornerstone of online security for decades. Almost any system, app, or device we access is dependent on passwords to log in. But there’s a problem with passwords, and we need to stop relying on them.
This World Password(less) Day, we spoke to Alex Cox, security and cyber threat intelligence expert, and David Turner, FIDO Alliance Senior Director of Standards Development, about the why and how of our journey to a passwordless future, and how your organization can begin solving the password problem.
The problem with passwords
The internet wasn’t born with passwords. Security was an afterthought. As the internet evolved and grew, people needed a way to safeguard and secure information from being accessed by anyone who wasn’t meant to have it. The internet of today has the same problems - the need for secure access - but on a much larger scale. The average user can have over 100 logins. While password hygiene demands unique passwords for each of these accounts, the reality of password usage is much different. With that many passwords to remember, employees will use shortcuts to make things easier, which is why people tend to reuse passwords across multiple accounts or use roughly the same passwords with only slight changes or variations. This means if any of the accounts are compromised, then all the accounts that use that password are at risk. “The bad guys are very aware of password reuse.” - Alex Cox, LastPass Director of Information Security Social engineering also makes password theft easier than ever. Bad actors know that people tend to use something familiar or from their own life when creating passwords and can glean worlds of information from social media accounts and other web activity. If you have pictures of your pets online and you also use their names as part of your password protection, it might only be a matter of time before someone accesses your account. . The threat landscape is evolving on a daily basis, and sometimeseven professional cybersecurity experts can have trouble recognizing a modern phishing attack, a top social engineering tactic. “Hackers don’t hack, they log in.” - David Turner, FIDO Alliance Senior Director of Standards Development The solution to the password problem? Eliminate passwords altogether.Why go passwordless?
Passwordless is the smarter security option. But there are benefits for businesses and users that go even beyond that. While organizations can implement stronger security standards and protect assets, data, users, and customers, reducing overall vulnerability, they can also benefit from:- Less time spent on password security management, which reduces the burden on IT departments, as password resets and management take up a significant amount of time and resources.
- Reduced time and cost spent on security education and training
- Seamless security experience for both IT and users (think maximum security with minimal effort)
- Increased productivity, less time lost to managing passwords and gaining access
- Better employee experience. In one Gartner survey, 64% of participants said a passwordless world would allow them to manage all their accounts with ease, and 40% would feel “more relaxed” overall.
Transitioning to a passwordless future
The experts agree: passwordless will not happen overnight. True passwordless access to every site, across every device, browser, and site, through the FIDO2 standard will take years to achieve. It’s a complex journey that requires support and development efforts from millions of technology providers. But the passwordless push has already started. There are several ways that organizations are already moving away from passwords for every login or password-only authentication.- Password managers: Password managers can reduce the number of passwords that employees have to keep track of or create down to one - the master vault password. Every password can be generated to meet minimum security criteria and stored to make login more streamlined for users.
- Single sign-on (SSO): You can also reduce the number of passwords being used by implementing SSO. SSO gives authorized employees or users access to applications with one set of login credentials, based on a users' identity and permissions.
- Multifactor authentication (MFA): MFA is a second layer of protection to password security - an authentication point that verifies a user's identity before granting them access, enabling passwordless login. MFA factors can include mobile device push notifications for iOS and Android authenticator apps, biometric access like face and fingerprint scan, voice recognition, SMS codes, or one-time use passwords.
- Physical keys: A security key, like a YubiKey, is another form of MFA - a piece of hardware like a USB that a user has and uses alongside their device, like a phone or laptop. Because there’s only one physical key per userit provides more secure access.
- Passkeys: Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.
