Passwords help us validate our online identity and access our favorite apps for banks, social media, travel websites, business productivity, and more, every day. However, passwords have also long been the achilles heel of our online lives. From being responsible for over 80% of all hacking-related breaches to costing millions of dollars for e-commerce giants and IT enterprises, they’ve been the undisputed nemesis of cybersecurity. No one loves passwords except for those wanting to exploit them. Your help desk agents loathe them, and your security teams despise them. Tech firms like Microsoft, Apple, and Google have made constant attempts over decades to create a passwordless world, but this dream is still believed to be at the nascent stage, and there’s good reason for this belief.
Why is it so difficult to eliminate passwords? How close are we to a passwordless world? Let’s look at where things stand.
Passwords: What are they good for?
Absolutely noth— wait, hold on!
As troublesome as they can seem, passwords offer a simple solution for an array of problems. From a service provider’s perspective, they’re one of the easiest and most cost-effective solutions to implement identity and access management. They’re also easy for non-tech-savvy users to adopt, making them universally acceptable. Additionally, passwords do not require the latest hardware technology or sensors to function, unlike biometrics and token-based authentication. This makes life easy for non-smartphone users who are 1 in 5 in advanced economies and 2 in 5 in growing economies.
Passwords also facilitate effective collaboration within teams that rely on shared accounts for services like social media or banks to perform their daily tasks. In the IT environment, it gets more complex where devices such as servers, databases, or network devices are not tied to any particular user. When authentication factors of these accounts are tied to a unique device, collaboration can become difficult.
Biometrics: An able replacement for passwords?
A touch too secure?
Biometrics aren’t a foolproof mechanism and there have been unaddressed privacy and safety concerns around them. For example, a compromised password can easily be replaced, but when one’s personal information such as fingerprints and facial details get compromised, there’s no back-out plan. There have been several instances where people have gained unauthorized access to mobile phones by merely using pictures of the owners over actual face IDs.
Additionally, while they can grant or deny access to your data, biometrics cannot encrypt the data on their own and would ultimately require a password, pin, or passcode to do so in the background. Similarly, universal authentication can be a problem when you lose or misplace the device tied to your biometrics, as well as during sim-swap fraud. Here’s a hilarious, yet real-world passwordless scenario from Jimmy Fallon on The Tonight Show.
Microsoft will no longer require users to enter a password to access their accounts. Instead, they'll have to use an app, a verification code or facial recognition. Check it out ⬇️ pic.twitter.com/9I379X0MZL
— The Tonight Show (@FallonTonight) September 17, 2021
This brings us to the next question: Can we ever adopt passwordless authentication? We sure can.
The passwordless future
While biometrics can have their cons, their benefits often outweigh the downsides. Despite their susceptibility to external threats, the difficulty and cost involved in orchestrating an attack to obtain biometric data are significant, making them a safer option. For example, all an attacker would require to exploit a stolen password is merely a keyboard and the password dump from the dark web. However, to exploit biometric data, an attacker would have to obtain the user’s biometric data, spoof it, and also bypass the biometric capture device.
Although it’s impossible to eliminate passwords altogether, especially from legacy systems, it’s clear that passwordless is the way to go. Research firm Gartner recommends businesses take up passwordless authentication as one of their top security projects for 2021 in order to eliminate passwords wherever possible. Gartner also predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases by 2022.
Businesses can also implement cost-effective means of passwordless authentication through single sign-on (SSO). Using single sign-on, businesses can eliminate password fatigue within their organization, improve their overall user productivity, and reduce help desk costs for businesses.
Bottomline: Passwords complement passwordless authentication
An ideal world would be devoid of passwords and attackers, but we don’t live in that world yet. Thus, it’s important to protect those we continue to manage and to switch to passwordless authentication wherever possible to minimize the password-based threats an enterprise may encounter. The future could very well be passwordless, but for now, it’s just as important to protect our passwords as it is to adopt passwordless authentication.
If your business is just getting started, you could benefit from adopting a password manager like Zoho Vault. Vault acts as a password management solution that also offers passwordless single sign-on for business applications. Get in touch with our experts to learn how your enterprise can devise a combat strategy to protect your critical passwords.