​The passwordless future is here

Passwords can be obtained via phishing, social engineering, device compromise, brute force (guessing) or as a result of poor user behaviours like using the same password on multiple sites/systems or the dreaded Post-it Note. Passwordless authentication using biometrics, one-time codes generated through apps and other methods will continue to increase in adoption.

With data breaches now resulting in billions of username/password combinations being accessible, all businesses and public entities will be looking for ways to better manage identity and access management in 2022. Bolstering privileged account management and other authentication related systems and resources and moving away from passwords will be a major priority for organisations.

Passwords have been the bane of everyone from system administrators to technology users since the dawn of the computer age. There are stories, perhaps apocryphal, about missile silos in countries with nuclear weapons, having systems secured by little more than a six-digit code, just a string of the same six numbers. Over recent years, the challenge of making passwords more secure has only led to increased complexity for users and more work for IT admins having to enforce more complex rules and resetting passwords.

During the pandemic the problem has been exacerbated by the need to remotely onboard and offboard staff. The old days of the IT team giving you a one-time password on a Post-it Note are well behind us. Organisations have adopted complex password rules to try to protect their data, but even the person who created them for NIST has said he regrets them and wishes he’d spent more time on a better approach.

Passwords are more than just an inconvenience. Blair Crawford, co-founder and managing director of biometric digital identity specialist Daltrey, said the costs of using passwords are staggering. “It’s estimated that 80% of data breaches start with the exploitation of a weak or stolen password,” he said.

But it’s not just the threat of a breach that’s keeping information security officers up at night. “The World Economic Forum pegs almost half of IT help desk costs to password resets. And with almost 600 password attacks every second according to research from Microsoft, the cost of managing passwords and managing the fallout from a password-led attack are enormous,” he said.

But, there is a way forward. Already, we’ve seen multi-factor authentication become accepted with users becoming accustomed to using some factor like a one-time six-digit code, other than a password, to access a device or service. So, the good news is that moving from password-based security to a passwordless future is something users are increasingly ready for. Every major operating system in use today supports biometric authentication through facial recognition, fingerprints and other methods.

Gartner predicts that 60% of large, global enterprises and 90% of mid-size enterprises will implement passwordless methods in more than 50% of use cases by 2022. That means many businesses are either already passwordless or well on the way to that destination.

Making the move from passwords can be done in several ways. Many organisations have begun to embrace tools such as password managers that automatically generate complex passwords and enter them as needed without users needing to know them. Single sign-on systems are achieving similar outcomes with users only needing one password to be authenticated for multiple systems. And authenticator apps are also commonly used to provide one-time access codes.

All these systems accomplish stronger authentication of users, without adding complexity or being a burden. When security is done well, it’s like the umpire at a sporting game: you know it’s there but it doesn’t stop you from enjoying the action.

It’s expected that Australia will spend close to $8 billion per year on cybersecurity by 2024. But unless organisations address identity and access management with a robust strategy that doesn’t hinder users and reduces operational costs then many of those dollars will be wasted. While criminals and other attackers use a wide variety of different vectors and tools, weak and stolen passwords remain their most potent weapon. If we can make authentication much harder to crack, we can disarm many potential threats.

Biometrics should be a critical element in every organisation’s security strategy. While no security system is 100% impenetrable to a sufficiently skilled, motivated and equipped threat actor, it is extremely difficult to steal or hack a biometric system. While the movies make it seem easy, that’s not the case in the real world.

A robust passwordless authentication platform brings together multiple pieces of information to ensure that only a verified user is accessing a system. This may include a mobile phone number along with a biometric measure such as facial recognition or a fingerprint. But other data such as location, time of day and network addresses can also be checked invisibly to the user to ensure that all the pieces of the identity puzzle align without putting the onus on the user to jump through more hoops.

The tools needed to build a robust, passwordless authentication platform are here now and will increase in adoption throughout 2022. It’s now up to organisations to recognise where their risks lie and implement an identity and access management solution that addresses those risks and reduces operational costs.