Are the days numbered for ‘123456’? As Microsoft further nudges the world away from passwords, here’s what your organization should consider before going password-free.
For such a clumsy sounding word, “passwordless” actually promises to make life a lot easier – for both users and security teams. It offers the tantalizing prospect of cutting admin costs, enhancing productivity and reducing cyber-risk. And yet, despite these eye-catching benefits, uptake in both business-to-consumer (B2C) and business-to-business (B2B) environments has not been as strong as one might have expected.
However, when the world’s biggest software company decides to back a new technology approach, it’s time to take notice. Microsoft described passwords as “inconvenient, insecure, and expensive” quite a while ago; fast forward to March of this year and the company introduced passwordless authentication for business customers. In September, Microsoft announced that it would be extending support for all users. You might say that the era of passwordless authentication is finally here.
When passwords are no longer fit for purpose
Passwords have been around for about as long as computers. Their demise has been predicted many times. And yet they’re still here, securing everything from corporate applications to online banking, email and e-commerce accounts.
The problem is that we now have way too many of these credentials to manage and remember. One estimate suggests that 57% of US workers have scribbled corporate passwords on sticky notes. And the number is growing all the time as we expand our digital footprint. One October 2020 estimate claims that the average person has around 100 passwords, nearly 25 percent more than before the pandemic began.
From a cybersecurity perspective, the challenge with passwords is well documented. They provide attackers with a target that is increasingly easy to steal, guess, phish or brute force. Once they have these in their possession, threat actors can masquerade as legitimate users, waltzing past perimeter security defenses and staying hidden inside corporate networks for much longer than would otherwise be the case. The length of time taken to identify and contain a data breach today stands at 287 days.
Password managers and single sign-on offer some form of redress for these challenges, storing and recalling complex passwords for each account so users don’t have to. But they’re still not universally popular among consumers. The result? We reuse easy-to-remember credentials across multiple accounts, exposing consumer and corporate accounts to credential stuffing and other brute force techniques.
It’s not just about security risk either. Passwords require significant time and money for IT teams to manage, and may add extra friction to the customer journey. Breaches may require mass resets across large volumes of accounts, which can interfere with the user experience in B2B and B2C environments.
How passwordless can benefit your business
In this context, passwordless authentication offers a major leap forward. By using an authenticator app with biometric systems such as facial recognition, or a security key or a unique code sent via email/SMS, organizations can in one fell swoop eliminate the security and admin headaches associated with static credentials.
By adopting this approach for B2B and B2C operations alike, organizations can:
- Enhance the user experience: By making log-ins more seamless and eliminating the need for users to remember their passwords. This could even drive improved sales if fewer shopping carts are abandoned due to log-in issues.
- Improve security: If there are no passwords to steal, organizations can remove a key vector for compromise. It’s claimed that passwords were to blame for 84% of breaches last year. At least, you’ll be making the bad guys work a lot harder to get what they want. And credential stuffing attacks, currently attempted in their billions each year, would become a thing of the past.
- Reduce costs and reputational harm: By minimizing the opportunities for financially damaging ransomware and data breaches. It will also reduce the IT admin costs associated with password resets and incident investigation. One report claims this could cost as much as £150 ($200) per password reset and 30,000 hours in lost productivity per year. That’s not to mention the extra time freed-up for IT teams to spend on higher value tasks.
What’s holding passwordless back?
However, passwordless is not a panacea. There remain several barriers to adoption, including:
- Security is not 100% assured: SIM swapping attacks, for example, can help threat actors circumvent one-time passcodes (OTPs) sent via SMS. And if hackers can access devices/machines, for example via spyware, they could also intercept OTPs.
- Biometrics aren’t a silver bullet: By authenticating with a physical attribute that the user can’t change or reset, the stakes become much higher if attackers find a way to hack the system. Machine learning techniques are already being developed to undermine voice and facial/image recognition technology.
- High costs: SMBs with a large user or customer base may find that rolling out some passwordless technology ends up being fairly expensive, not to mention the potential costs involved in issuing replacement devices or tokens, if applicable. Using an established provider like Microsoft makes more sense, although there will be an internal development cost associated.
- User reluctance: There’s a reason why passwords have stood the test of time, despite their major security shortcomings – users know instinctively how to use them. Overcoming the fear of the unknown could be addressed more easily in an enterprise setting, where users will have no other choice but to follow the rules. But in a B2C world it could create enough extra friction to put customers off. Care must therefore be taken to make the log-in process as seamless and intuitive as possible.
As the post-pandemic era begins in earnest, two trends will shape the future of passwordless adoption: a surge in the use of consumer online services and the emergence of the hybrid workplace. With the mobile device at the center of both, it would seem to make sense that any corporate passwordless strategy start here.
written by Phil Muncaster, ESET We Live Security