There are no certainties in life, except death and taxes, but based on the last 60 years of our digital existence, maybe we should add passwords? asks Alex Laurie, pictured, SVP Global Sales Engineering, ForgeRock.
It is hard to imagine a world without passwords. They remain the most-used authentication method for consumers according to the Fast IDentity Online (FIDO) Alliance’s annual Online Authentication Barometer, despite the fact that passwords almost universally fail at keeping accounts secure and preserving a smooth user experience.
The business imperative for robust and convenient authentication has only increased in the last two years. Consumers’ expectations have shifted as digital products and services rapidly became the norm during the pandemic, with many expecting a better online experience without any compromise in security. However, in this period of digital turbulence, cybercriminals see a feast of opportunities — and passwords are often the main method of attack.
Squeezed by these twin pressures, businesses face an uphill battle if they do not leverage the right authentication methods.
Password (in)security
Through phishing, password spraying, and brute-force attacks, threat actors are accessing vast networks of information, often by compromising a single account or set of credentials. These types of attacks, known as account takeovers, have surged 307 per cent in recent years. More broadly, according to the World Economic Forum, nearly 80 per cent of cybercrimes can be traced back to breached passwords.
And cybercriminals are spoilt for choice. Last year alone, more than two billion usernames and passwords were breached, increasing by 35pc YoY. It is clear that login credentials are the soft underbelly for many consumers and businesses.
The consequences associated with account takeover and data breaches can be vast and severe, encompassing legal, financial and reputational damages. According to the European Union Agency for Cybersecurity (ENISA), 57 per cent of SMEs would likely become bankrupt or go out of business as a result of a serious breach.
Given that SMEs employ nearly 100m people across Europe and represent nearly 99pc of businesses on the continent, a large part of the European economy is playing cyber Russian roulette when it comes to password-based authentication.
More broadly, password-based administration and support can also have a direct negative impact on a company’s bottom line. Research by Mastercard showed that the friction introduced by passwords can lead to lost revenue as a third of users forced to recover their password will abandon the login process altogether. The stakes have never been higher.
A tipping point for passwords
Promisingly, the technological and regulatory foundation for passwordless authentication has already been laid.
As far back as the 19th century, polymath Sir Francis Galton was proclaiming the benefits of fingerprints as an incomparable validator of identity. Yet, it is only in recent years that it has been adopted by mainstream consumers.
Over the last 10 years, smartphone manufacturers, like Apple, Google and Samsung, have paved the way for this type of authentication and access technology to evolve from a vision into an everyday reality, even beyond its initial application of mobile devices.
Now software-based biometrics, which takes advantage of the high-quality cameras used in mobile phones, can allow for cross-platform biometrics without the need for special sensors.
Industry bodies, like the FIDO Alliance, have also been instrumental by promoting open standards that are more secure than passwords, easier for consumers to use and simpler for service providers to deploy. On World Password Day (May 5th), Apple, Google and Microsoft signalled their support for FIDO2 WebAuthn, and commitment to interoperability, simplicity and security in implementing passwordless authentication in their devices.
Similarly, the National Institute of Standards and Technology (NIST) released guidelines for phasing out the use of passwords in favour of more secure authentication methods. Many tech companies, including Microsoft and Google, have already implemented these guidelines.
It is no exaggeration to say that strong passwordless authentication across multiple devices, browsers and platforms is now a reality.
Behavioural biometrics
So the technology, behaviour and standards for passwordless authentication are there. How can companies orchestrate the perfect passwordless and usernameless journey for their users?
One of the most exciting advances on the horizon in 2023 which may help will come from behavioural biometric authentication.
Behavioural biometric authentication is using the behaviour of a user — eg. scrolling speed and patterns, finger size, keyboard typing, to provide ongoing authentication that runs in the background. And when implemented correctly, the user won’t even be aware that their identity is being verified.
However, a lack of friction should not be confused with a lack of security. When the correct balance is struck, and behavioural biometrics are implemented alongside AI and traditional security methods like Multi-Factor Authentication, both user experience and security will improve.
What’s more, that data can be used to build a user profile that can be used for the personalisation of services and products – another important benchmark of positive online experiences. For example, it should be easier to capture an individual customer’s intention at critical moments in their daily activities.
The road has been long but the benefits will be many
Two years ago Gartner estimated that by now 90pc of midsize enterprises would have implemented passwordless authentication in more than 50% of use cases. Although we might not yet have reached that point, the direction of travel is clear, with the FIDO Alliance reporting that password usage has already dropped globally by 5pc.
Ultimately, the death of the password will be a huge relief for users, removing the need to remember or type passwords and enabling better user experiences. For organisations, the upsides are just as powerful, with a passwordless future offering better improved security, reduced risk of data breaches and lower support costs.
As we enter the new year, 2023 seems set to be the year when passwords finally become an endangered species. I’m afraid the outlook is less positive for those who wish to dispense with death and taxes.
