a good thing!
This year marks the 8th anniversary of World Password Day, a holiday recognized each year on the first Thursday of May. World Password Day was established to improve the security of your organizational resources and personal information by promoting safer password practices like:
Making your password at least 15 characters in length
Adding special characters
Using a phrase instead of an easily guessed word or number
Changing your passwords frequently
Not reusing passwords
Not writing them down
Setting aside a special day to reinforce security best practices was a good idea back in 2013 and it still is today. After all this time, passwords continue to pose security risks to individuals and organizations. Since the start of the pandemic, one in 10 Americans have been victims of identity theft. And roughly eight in 10 corporate data breaches are due to stolen credentials. So instead of focusing on ways to make passwords stronger, it’s time to change the narrative around World Password Day altogether.
As technology, use cases and access management requirements evolve, security risks and bad actors are keeping pace. Promoting safe password practices is no longer the answer; eliminating passwords altogether is.
It’s time for the security industry to come together and put a stake in the ground that passwords are just too risky. Strong passwords and password managers are band-aid solutions. To defend against today’s security risks, we need to promote passwordless adoption instead.
While many organizations have only dipped their toes into passwordless use cases, the movement toward passwordless is inevitable. On the consumer side, it’s already taking hold as mobile capabilities like biometric authentication and facial recognition have become commonplace.
Given the problems with passwords, there’s little if any disagreement that a more user-friendly and secure way of verifying identity is needed. Passwordless authentication exists specifically to maintain or improve security by reducing or eliminating password usage, providing a clear and safe way forward. So what are the key obstacles standing in the way of a passwordless world? I did an informal survey of our Ping leadership team to learn what they’re hearing from customers and seeing in the market. Here’s what they had to say.
“Passwords are pervasive. They’ve been embedded in every app since the beginning of time.”
—Andre Durand, Founder, CEO
“Passwords are like fast food: cheap and easy. And the pain and suffering they produce only manifests through use over time.”
—Patrick Harding, Chief Product Architect
“Quitting passwords is like trying to housebreak a 30-year-old dog. We built our systems with the easiest available option for decades: an account and a password. And we trained every human being that interacted with the digital world to use them exclusively. Getting rid of passwords means cleaning up a whole lot of messes.”
—Richard Bird, Chief Customer Information Officer
“Passwords… why can’t I quit you? Because old habits are hard to break. Passwords are ubiquitous because they are familiar and inexpensive to implement, and technology is only recently presenting more widely accepted, cost effective and user-friendly alternatives. Plus, change is scary as well as confusing. Existing apps, systems and technical debt aren’t conducive to rapid passwordless adoption.”
—Aubrey Turner, Executive Advisor
Simply put, passwords, although far from secure, remain the de facto method of authentication because they are familiar and widely accepted. Decreasing reliance on them involves many different stakeholders beyond your IT security organization, including employees, customers, application developers and really anyone else who needs access to that particular app or technology. So lacking widespread support for this change, the transition to passwordless will be an uphill battle.
Furthermore, most people are inherently wary of change, especially if there are costs associated. But there are also many risks and costs that come with continuing to rely on passwords as your primary defense against growing security threats. Knowing this, the first step to a passwordless future is shining a light on these very real risks and the equally compelling advantages of making a change.
You’ve heard the saying that money talks, and that’s a great place to start when making your business case for passwordless. It’s the rare organization that isn’t motivated to prevent financial loss. Yet, a security posture that relies on passwords creates unnecessary vulnerabilities to threats like data breaches, theft and misuse of intellectual property, unauthorized transactions, regulatory non-compliance and more. Of course, these risks also come with associated costs both direct and indirect, and even potentially hefty fines.
In customer-centric organizations, passwordless also provides a means of delivering seamless digital experiences. While passwords may be “how things have always been done,” they add friction and frustration to the customer journey. A poor login experience or overly complicated password policy can lead to a failed registration, an abandoned purchase or a lost customer.
The path to passwordless begins with implementing single sign-on (SSO), which immediately reduces the number of passwords in use by giving users the ability to use a single set of credentials to gain access to the resources they need.
The next step is adding multi-factor authentication. By moving beyond passwords alone to add additional authentication factors (something the user knows, has or is), MFA provides a greater level of assurance that a user is who they claim to be.
The next step is implementing device-based authentication. By relying on users’ devices and readily available technologies like biometrics for authentication, you’re able to steer clear of password vulnerabilities and verify user identity with greater assurance.
Ultimately, you want to implement continuous risk assessment to deliver the seamless experiences users want. Assessing risk dynamically and/or continuously lets you identify changes in a user’s behavior throughout their session based on various risk signals like changes in geolocation, IP address, device posture and more. This monitoring happens in the background and is frictionless to the user unless or until a certain risk score is triggered, at which time policy can be used to either require step-up authentication or deny access altogether. With dynamic and continuous risk-based authentication, you can deliver the experiences users want without compromising security.
To move beyond password reduction to true passwordless authentication requires FIDO (Fast Identity Online). The first open identity standard created specifically to support passwordless authentication. FIDO uses public key cryptography to provide simpler, safer authentication without the use of passwords.
FIDO allows you to shift authentication entirely to the user device, relying on biometric authentication like facial recognition and iris scans. The device then communicates with the service provider via public key encryption that the user has authenticated. Because credentials don’t leave the user device, nor are they stored on the server side, the threats of phishing and man-in-the-middle attacks are greatly reduced.
While the benefits it presents are clear, FIDO adoption hasn’t yet reached critical mass. According to Andre, FIDO will only see adoption and success if it is a strategic organizational investment. Richard explains, “The biggest obstacle to FIDO adoption—or the adoption of any advanced authentication capability—is the required business process change. We need to remember that our business and application owners have actually built the inefficiency of passwords into their systems. Taking away a password could cause call center queues to spike, order flows to change and risks between applications and processes to materialize.”
Patrick points out that more device platforms must also adopt FIDO. “Without systems that support FIDO and FIDO-certified products, buyers may be concerned about vendor lock-in,” Aubrey adds.
It’s true that FIDO requires significant change across organizations, from development to organizational security and, yes, even to call centers because it will require a new process for account creation, recovery and resets. Yet even as FIDO goes through a chicken-and-egg moment as it strives to become mainstream but companies hesitate to move forward until they see widespread adoption first, everyone agrees that a passwordless future is both inevitable and well worth the effort.
As another World Password Day comes and passes, it’s time to stop talking about how we can strengthen passwords and start prioritizing simpler, more convenient and more secure options.
Passwordless is the way forward, and ease of use is essential for passwordless solutions to gain a foothold. The growing familiarity with and use of QR codes and biometrics during the pandemic—for everything from accessing restaurant menus to making contactless payments—provide a perfect springboard for passwordless initiatives.
At Ping, we’re helping the world’s largest and most complex organizations remove password risk, strengthen security and deliver seamless user experiences by going passwordless. So we know firsthand that every organization has to chart its own course. To get started on yours, watch this webinar.
For more information on Ping’s passwordless capabilities, visit PingZero.