I spent some of the weekend catching my kids up on the Harry Potter movies. It may sound odd, but as we watched the magical movies, I was reminded about why passwords are security risks.
In Harry Potter and the Sorcerer's Stone, Hogwarts is referred to as "the most secure institution in the wizarding world." It's even claimed to be "safer than Gringotts Bank" that's guarded by watchful goblins. This is why it's absolutely shocking that for security, Hogwarts uses...wait for it...passwords. Yes, passwords! Need proof? Watch this video clip.
This painting asks the students for a password to enter the Gryffindor common room, without even looking around to see if there's a Slytherin student snaking around the shadows. In a world where a second factor would be extremely easy to implement, it seems quaint and outdated to not have the painting verify the identity of the students in any way beyond a decidedly less-than-secure password.
In our world, we don't yet have talking paintings that can verify users or look around the room for potential attackers. But we do have multi-factor authentication that can verify your fingerprint or device ownership, and we can also rely on contextual authentication that can authorize you based on passive data like your location. These additional factors move you beyond the outdated world of simple passwords.
It's no wonder that Hogwarts got attacked by Death Eaters. Don't let the same thing happen to your enterprise. Get rid of passwords.