Time to ditch passwords? How alternative employee authentication can provide better protection
By Raz Rafaeli, CEO of Secret Double Octopus
The first recorded use of a password used to access a computer system occurred in 1961—but this historic milestone quickly led to the first stolen computer passwords. Six decades later, we’re still grappling with the very same problem.
What’s more, the security risk posed by compromised passwords has grown exponentially during that time, as companies have collected and stored vast amounts of sensitive data online. Then there is the time loss and IT support costs incurred if employees forget passwords and can’t gain access to systems.
Thankfully however, passwords may soon be a thing of the past. Let’s get into why:
Why passwords are facing the end of the line
There are plenty of reasons to do away with passwords altogether and replace them with better alternatives—efficiency, security, and ease of use being the most important.
An employee may require access to numerous systems to perform their job and each of these systems will require a password login. Let’s say the employee followed data security best practices and created unique passwords for each system. If they mix up a password and enter it incorrectly, they will likely be locked out after several incorrect attempts.
This kills efficiency as they’ll be unable to perform their job for several minutes or even hours until they regain access. According to Widmeyer’s password security survey, companies lose hundreds of thousands of dollars in productivity every year because of lost credentials.
Secondly, companies that still rely on password authentication to access critical customer and company data are playing with fire and neglecting security. Password-only protection is too easy for hackers to crack. Any company that relies on simple password authentication puts its business and reputation at risk. Whether it’s protecting the company’s internal data or its customers’ data, a security breach in any of the systems can cost the company dearly.
Lastly, more and more companies are concerned with ease of use. Referring back to the previous example, having to login into numerous systems using different passwords is daunting and a frustrating way to start your day. And of course, employees will be automatically logged out periodically from systems, meaning they have to re-enter passwords continually throughout the day.
What’s more, throughout the last few years, two crucial factors have altered our perception of how online authentication should function. First, we’ve moved most of our business activities online, requiring increasing access to portals, software, and systems. And second, we’ve become accustomed to new technologies that give us better, faster, and more effortless digital experiences. As such, investing in better and more secure authentication methods than passwords should be a top priority for businesses in 2022.
So if we’re finally waking up and realizing just how lousy and outdated passwords are as a data protection tool, what are the alternatives?
The best alternatives to choose from
Password alternatives such as tokens and biometric technologies have been around for some time, and even newer options such as passwordless multi-factor authentication (MFA) are growing rapidly. Still, until now, the issue of ‘interior’ security has not been at the top of the list for many organizations. However, given the growing security risks and management headaches caused by passwords, investing time and money in new alternatives is urgently required. So let’s take a closer look at what choices companies have.
- FIDO keys
Through the use of public-key cryptography, a user logs into a given site or platform and creates a set of key pairings. The user then keeps the private key and the platform holds a copy of the public key that is then connected to the user’s account. Each time they log in, the user will be prompted to prove they have possession of the private key, effectively skipping the need for passwords at any step.
The benefit of FIDO protocols is they don’t send any data or information that can be used online to track users. Additional benefits include the fact that the key stays on a device, specifically a FIDO-certified device such as a USB or NFC key. This option presents far less security risks than typical password models but still incurs heavy upfront and replacement costs.
FIDO keys are more modern and safer versions of hardware tokens of prior years, which often had a one-time password or OTP code changing at a pre-specified time. Hardware tokens were less flexible than modern day FIDO keys, which have an associated standard called webauthn that confers true magic over browsers. Their codes are algorithmically generated off of a secret seed value, and high profile compromises of the seed values have taken place.
- Mobile and biometric MFA
Despite this, OTP tokens are still used today, mostly in the form of software authenticators that are mobile apps. Consumer smartphones have ushered in the era of mobile MFA and software authenticators/tokens. They improve security over passwords alone, but they build on the password and have been defeated by attacks like SIM swapping or mobile phone push bombing for the inadvertent acceptance of MFA approvals.
Biometric technology allows unique identifying features like fingerprints, the iris, and facial characteristics to be used for authentication. Thanks to Apple, most of us are already familiar with this method. The company has integrated the Touch ID and Face ID functions into many of its devices, making access seamless and fast.
One of the fundamental advantages of biometrics is that most biometric systems are not easy to spoof. They allow users to authenticate themselves much more rapidly and conveniently while still offering superior security to passwords. All it takes is the press of a finger or simply looking at a camera.
However, the downside of this method is that if not architected well, hackers can steal biometric data and gain access by copying the fingerprints or 3D prints of people from the internet (depending on the maturity of the technology employed). Another difficulty is that it cannot be changed if the digital identification is compromised.
- Passwordless MFA
Our third method can take from components of FIDO public key cryptography and mobile biometrics to provide a completely passwordless solution. However, it is even more user friendly and provides a quicker, safer route to logging in than even those previously mentioned authentication methods.
Passwordless MFA methods leverage decentralized architectures that are often based on a mobile device. By only localizing the login credentials on a user’s personal device, this drastically cuts down the risk of breaches and other cybersecurity threats.
In general, most passwordless MFA methodology is based on at least one of these three factors:
- Something the user has (i.e., a mobile phone or FIDO key)
- Something inherent to the user (typically a biometric signature)
- As a fall back to biometrics, something the user knows (i.e., a PIN, or pattern)
- In some cases, location and network indicators also work as additional authentication factors.
Because passwords are considered a relatively risky authentication factor due to their general simplicity, sharing, and reuse, it is much safer to have an authentication factor that does not carry passwords at all.
If switching from passwords to modern, integrated authentication methods sounds too costly and time-consuming at first, you should consider the longer-term benefits this will bring to your business. Among these are increased security and ease of use. And with countless companies falling prey to cyberattacks–from blue-chip multinationals to small mom-and-pop businesses–upgrading one of your biggest vulnerabilities will significantly reduce your chances of this happening to you.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.