Is it time to ‘eliminate’ passwords?

86 percent of security leaders would do away with passwords if they could, finds a new report.
17 July 2019

Are passwords on borrowed time? Source: Shutterstock

Forget inadequate defences or lack of investment in AI-driven cybersecurity, the majority of attacks stem from lost credentials

As businesses employ an evermore-thick stack of digital solutions– productivity tools, HR toolkits, cloud-based CRMs, and communications platforms– a good chunk of an organization’s data is entrusted on the strength of their staffs’ password.

Bad password security habits

But, with two out of five employees reusing work passwords across platforms, and just 16 percent updating their passwords once per year in line with company policies, IT heads are in agreement that the days of password security are limited.

Nowadays, it’s just too easy for those credentials to be stolen.

Increasingly sophisticated phishing scams– purporting to be Outlook, Skype, or even your company’s senior management– can acquire passwords and immediate access to a company’s most sensitive data stores, and the door to carry out malware-based attacks.

At the same time, using complex passwords means users are more likely to forget them, and email reset reminder emails can be compromised by attackers as well.

Stolen credentials responsible for most breaches

According to new research by Security Magazine, 90 percent of security pros unauthorized access as a result of stolen credentials, while organizational policies continue to fall largely on deaf ears.

As a result, 86 percent of security leaders would do away with passwords if they could, the report cites, while nearly three-quarters (72 percent) claim to be actively looking at ways to replace them.

For many, the solution lies in biometric security which has, up until now, been limited to expensive technology. But, now available on most modern smartphones– this can serve as a token for access across devices and platforms by quickly analyzing a user’s fingerprint.

Are biometrics the answer?

But other forms include voice recognition, facial recognition, or a combination of multiple ‘physical’ attributes that are both (near) impossible for attackers to imitate, and can’t be forgotten by their owners.

With most modern smartphones now equipped with these capabilities, the survey found that 88 percent of IT heads believe mobile devices will soon serve as digital ID to access enterprise services and data.

In eliminating passwords, the experts from large companies across the US, UK, Australia, and New Zealand estimated they could reduce the risk of a breach by almost half. But doing so could also alleviate IT support, with two out of every five (41 percent) help desk tickets resulting from password or multi-factor authentication (MFA) lockouts.

MFA as the solution?

Stuart Sharp, Global Director of Solution Engineering at OneLogin, said that while the removal of passwords is an objective desired by everyone in the cybersecurity industry, the reality is that a workplace void of passwords is “still a long way off”.

“One reason is that it presupposes that everybody has a modern mobile phone that is capable of supporting these new standards, not to mention the large assumption that users are happy to have corporate apps installed on their device,” said Sharp.

“I wholeheartedly support the move towards a passwordless future, however, developers are still behind the curve.”

Smartphone-based biometrics may play a significant, and cost-effective, role in workplace security in the coming years, Sharp suggests multi-factor authentication (MFA)– despite current complaints of being ‘locked out’– may serve as the most effective solution in the interim.

While MFA often comprises the use of a physical ‘token’, such as a smartphone or USB device, it doesn’t have to require biometric security, or the installation of any third-party apps on a user’s device.

MFA generally consists of one or more of the following categories:

  • Something a user knows (answers to a secret question, password).
  • Something a user possesses (card reader, encrypted USB key, or smartphone).
  • Something a user is (fingerprint, iris scan, voiceprint).

So, adding an additional (and compulsory) layer of security across the full breadth of gateways for which staff have access could help to dramatically lessen the data breach threat for organizations.

But it may not be the last we see of passwords just yet.