With Verizon reporting that 82% of data breaches involved the Human Element, why are businesses still using passwords and putting their security and reputation in the hands of the end users?
Passwords are the norm for our digital lives. Their presence across both our professional and personal lives means that they are usable by colleagues with a wide range of technical literacy. Password-based authentication has fewer compatibility issues, implementation is simple, and you don’t need to rely on additional hardware. Whilst this might sound like the perfect, cost-effective, security solution – passwords come with a multitude of security, productivity, and financial risks for an organisation.
Why do we need to move away from passwords?
Passwords are a well-established form of digital authentication. However, they are burdening businesses with cyber security risks and the cost of password resets. There have been efforts to make password-based authentication more secure: increasing complexity, forcing password updates at regular intervals, prohibiting the use of similar passwords etc. Whilst these steps may make the password itself more secure, we still face the Human Element risk. There is a finite number of unique, complex passwords that an individual can realistically remember. Combine this with the vast number of applications an individual needs to use daily and this creates a significant risk of users using unsecure methods for remembering their credentials. Think – post-it notes, re-use of passwords, spreadsheets and passwords that incorporate the name of your organisation – a security breach waiting to happen.
What are the alternatives?
There are alternatives to passwords available to businesses now. Whilst these alternatives are not widely compatible with existing applications, it does show that the move to passwordless has started and it is time for business to start preparing for the move. Two of the most popular alternatives to passwords are biometric authentication and using secure protocols.
Biometrics: Biometric authentication confirms a user’s identity using unique physical attributes. With many smart phones using biometrics for unlocking phones, opening apps and approving financial transactions, users are increasingly comfortable using this technology.
Secure protocols: Applications that use SAML or OIDC to authenticate enables users to access multiple applications without requiring credentials since they will have already authenticated with their Identity Provider (IdP). With fewer passwords to remember, users can use a single high entropy passphrase and have secure access to a whole range of applications.
How can businesses begin to transition to passwordless?
This is largely due to the overwhelming majority of enterprise applications still necessitating the use of passwords. As a result, enterprises need to look at practical ways of starting the journey to passwordless, enabling increased security over time. Implementing an Identity and Access Management (IAM) solution is an excellent way of getting started.
IAM solutions allow users to access their identities using a single set of login credentials or biometric authentication. The immediate benefits of implementing an IAM solution include reducing the number of password resets to IT and/or the Service Desk, reducing insecure user behaviours relating to passwords, reducing frustrations and loss of productivity for users, and reducing the risk of phishing incidents.
Using the right IAM solution can enable your enterprise to immediately remove passwords from the hands of your users – eliminating the security risk of human error by placing a system in control of passwords and identities rather than individuals.
If, like most enterprises, you still use applications that require passwords, then by using an IAM solution that incorporates Enterprise Password Management, you can hide passwords from users so they can access apps without actually knowing the passwords. Hiding the passwords in this way means that a user can never be successfully phished since they don’t know the passwords.
Then, using the IAM solution, you can migrate your applications to using protocols such as SAML or OIDC as and when the applications enable support for these protocols.
In summary, password-based authentication is leaving businesses vulnerable to security breaches which could have significant financial and reputational implications. It is imperative that business take action to reduce or completely eliminate these risks. Whilst passwords are here for a while yet, starting the journey towards passwordless doesn’t need to be difficult; finding an IAM solution that is widely compatible with existing technologies will offer a passwordless experience for end users immediately, irrespective of whether applications support this leading to immediate productivity, cost-saving and data breach mitigation benefits for your enterprise.
In summary, make sure your IAM solution can:
- Automatically detect web-apps in use across the enterprise (i.e. Shadow IT)
- Enable these to be immediately enabled for Single Sign-On (SSO) providing a passwordless experience for users
- Allow the ability to easily transition from passwordless to SAML or OIDC as your apps enable support for these protocols.
Learn more on how organisations are improving security and reducing user friction by moving to passwordless authentication.
