Why Are You Still Using A Password?

IT professionals around the world agree: passwords are a relic of the past.

The costs now outweigh the benefits of using passwords. They’re increasingly predictable, easily phishable, and leave users (and businesses) vulnerable to theft.

It’s common practice for IT to try to lessen password risk by demanding stronger passwords and frequent changes, but these demands drive up IT help desk costs and lead to poor user experiences. More importantly, this approach isn’t enough for today’s cybersecurity threats and doesn’t deliver on organizational information security needs.

Eliminating passwords would be a dream come true for most enterprise IT organizations, who spend an enormous amount of resources every year on password support and maintenance. But how do you get there?

81% of hacking-related breaches used either stolen or weak passwords.

Source: Verizon 2017 Data Breach Investigations Report

You can reduce your odds of being compromised by up to 99.9% by implementing multi-factor authentication (MFA).

Source: Microsoft 2018 Security Research

Why Eliminate Passwords?

In an evolving enterprise security landscape, password authentication has always been challenging. A password is supposed to provide a security barrier to protect accounts from attackers, but modern attackers are skilled at using phishing and other social engineering attacks to steal passwords from account owners with minimal effort required.

To distinguish between the account owner and the attacker, organizations have needed to move beyond using just passwords for protection. Multi-factor authentication (MFA)—for instance, a pin and password, or biometrics—has presented a more secure method for account access. Forward-thinking IT teams now add multi-factor authentication options like smart cards, hard and soft tokens, SMS authentication and more, wherever users connect to resources.

However, depending on how it’s implemented, MFA can also lead to user experience issues. It’s imperative for IT teams to deliver a seamless user experience while balancing security risk, or users will simply work around whatever security protocols are put in place.

Today, IT security pros are moving toward password-less authentication using advanced technologies like biometrics, PIN, and public/private key cryptography. Plus, new standards like Web Authentication API (WebAuthN) and Fast Identity Online (FIDO2) are enabling password-less authentication across platforms. These standards are designed to replace passwords with devices that people in your organization already use, such as security keys, smartphones, fingerprint scanners, or webcams.

Password replacement options can help organizations provide convenience and ease-of-use without increased security risks. Ideally, with password-less authentication, you can create an ecosystem of authentication that meets organizational needs, including security and privacy, usability, and interoperability among different authentication devices.

If you do it right, end-users should never have to deal with passwords in their day-to-day lives. And, with an intuitive sign-up and sign-in user experience, help desk costs can be greatly reduced.

Quadrant diagram showing that passwords plus two-factor authentication is secure but inconvenient, traditional passwords are convenient but insecure, and password-less authentication is both secure and convenient

Adopting a Password-less Strategy

At its core, the underlying principle of password-less authentication is to eliminate the use of passwords, draining their value for attackers. Adopting this approach requires technologies that can support it—and time for organizations and users to adopt these technologies.

Adoption also requires a new mindset. Organizations have to make the necessary technical and cultural shift so that users can operate in this new password-less world. Here are the key considerations for implementing password-less authentication into your MFA strategy:

1. Choosing the right technology: Develop password-replacement offerings with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes. This early stage is about implementing an alternative and getting users acquainted with it.

2. Understanding how it works: Get to know how password-less technologies overcome security challenges and reduce the user-visible password-surface area. Adopting these technologies means upgrading experiences at natural stages of a user’s identity lifecycle, including account provisioning, setting up a new device, using the account/device to access apps and websites, and enacting recovery. It also means getting users accustomed to not providing a password any time a password prompt shows on their computer.

3. Increasing user adoption: Simulate a password-less world by enabling end-users and IT admins to replicate the approach in a test environment. Then, transition into a password-less world with confidence. This simulation should encourage a cultural shift within the organization—getting users comfortable with the idea of never typing, changing, or even knowing a password going forward.

Next on the Blog: 3 Key Considerations for Password-less Protection

In our next post, we’ll investigate the 3 key considerations for implementing MFA and other password-less authentication measures in your organization: choosing the right technology, understanding how it works, and increasing user adoption.

Read Part 2 Of This Post

This blog post is adapted from the Microsoft whitepaper Password-less Protection with permission from Microsoft.