Passwordless authentication better for securing the business?

It’s clear that passwordless alternatives offer better security and greater convenience to end-users, but can we expect a passwordless future any time soon?
6 May 2022

Raz Rafaeli, founder and CEO of Israeli start-up company Secret Double Octopus, is developing a passwordless authentication that works across all business systems and applications, whether on-premise or in the cloud, online and offline. (Photo by Emmanuel DUNAND / AFP)

According to a study by Nordpass, nowadays people use around 100 passwords to access various sites and applications on the web. With so many passwords to keep track of, users are still struggling to generate passwords of sufficient strength to offer a good level of security. Are passwords always going to present these issues? Is there a better alternative?

The problem with passwords 

No one likes passwords. They slow us down, are hard to keep track of, and even harder to generate whenever you want to create a new account somewhere. But like it or not, they have been our primary method of securing access for years, which is why it’s no surprise that password attacks are so popular among hackers, with an astonishing 50 million credential attacks launched every day. However, it’s exactly the kinds of frustrations that users have with passwords that make these attacks successful, and why hackers keep coming back for more.

When people go about their daily lives, they prioritize convenience above all else and passwords try to upset this. To speed up the process, when people are asked to create a new password, they’ll generally put down what first comes to mind – a familiar word like the name of a childhood pet or street they used to live on, perhaps with a couple of numbers on the end. Fear that they might forget it causes people to create guessable, and therefore weak, passwords. Yet all it can take is a quick look at someone’s social media and a bad actor may quickly find the clues needed to hack into your accounts using common social engineering attacks.

To make things even easier on their memory, people try to use the same password in lots of places. In fact, one survey found that 29% of people reuse the same passwords across all online accounts. This means if a hacker found their way into one account, they’d have access to every single one. Not only is this dangerous for your personal data, but if you’re using the same password at work, your company would be put in danger of getting breached. Once a hacker compromises your credentials, they are often sold on the Dark Web and could be used by multiple bad actors to extract more information or even impersonate you.

Is there a safer alternative to passwords?

Although requirements for a strong password are getting more and more stringent, 95% of IT professionals believe passwords pose a risk to their organization. Over the years, other methods of validating identities online have been introduced, begging the question: could these alternative methods cause passwords to become obsolete one day?

Multi-Factor Authentication

Multi-factor authentication is now used widely, where the user is required to give at least one other method of verifying their identity before gaining access. This could be inputting a code generated by an authenticator app or sent to the user’s phone, but there are several ways multi-factor authentication can be achieved. MFA effectively adds another layer of security making it harder for a hacker to break in and is strongly recommended by most security experts. In fact, many advise looking elsewhere if an application or piece of software you want to use doesn’t have MFA among its features. However, although an improvement on standard passwords, bad actors have been known to launch MFA schemes where they can do things like intercept SMS-based codes, so they are not entirely foolproof.

Key-Based Passwordless Authentication

Using cryptography, key-based authentication confirms a user’s identity with keys stored in secure locations. The user’s private key is used by a server to decrypt the corresponding public key, giving them access. This is a promising alternative or addition to passwords, offering much stronger security, so long as only authorized users have access to their private key and it is not compromised.

Biometric Authentication 

Biometric authentication uses someone’s unique physical features as a means of identification, for example facial or finger recognition. Not only is this method faster for users, it also avoids any need to remember a password. Many big companies have implemented biometric authentication methods, for example, Apple’s Touch ID introduced in 2013, with other major tech companies like Samsung following suit shortly after. It is predicted that 1.3 billion devices will support biometrics by 2024. Of course there are other biometric authentication methods like voice recognition or retina scanning but these generally tend to be more costly and require specially dedicated hardware.

What are the benefits of passwordless authentication?

Going passwordless would definitely be a user-friendly solution, taking away the everyday frustrations of users trying to remember passwords and keep track of them all, but of course the resulting benefit from this which has even more of an impact would be the huge reduction in cyber risk. Countless studies have shown that users’ poor password habits are not getting any better and are still responsible for a huge number of cyber breaches affecting businesses every day which has necessitated heavy costs to repair the damage, both financially and reputationally.

Avoiding passwords would minimize a lot of these costs, as well as the costs of general password maintenance. One report from Forrester found that some larger companies can spend as much as £700,000 a year on password-related support like password resets. Physical costs aside, this support and maintenance also rely on IT teams dedicating a lot of their time to eliminating these password-related risks, allowing other areas of security to be disregarded. With passwords gone, this would give IT and security professionals more time to focus on improving the company’s security posture.

It’s clear that passwordless alternatives offer better security and greater convenience to end-users, but can we expect a passwordless future any time soon? Some have already begun their passwordless journey, with Microsoft announcing fully passwordless options on user accounts in 2021. However, companies will have to overcome certain challenges when deploying a passwordless authentication model, such as financial overheads and data storage regulations. What’s more, 74% of IT and security professionals believe users could struggle with the switch, preferring the familiarity of passwords even with the accompanying struggles. So, while passwordless authentication methods are the best solution for security and ease of use, our beloved passwords will probably not disappear completely any time soon, but rather become a supporting security measure to passwordless methods.

Article contributed by by Clive Madders, Cyber Tec Security