The password may be an old technology, but it’s still the most common method of authentication used in businesses today. Yet as cyber attacks continue to grow year-on-year and organisations continue to migrate to the cloud, it’s causing more problems than ever.
Passwords are one of the weakest links in any system, with multiple methods available to hackers to take advantage of them. By far the most common is phishing. FBI statistics show that from 2019 to 2020, the number of attacks more than doubled to over 240,000, with the number of phishing sites growing by an incredible 640%.
As well as becoming more numerous, phishing attacks are also becoming more sophisticated. Emails will typically direct employees to a login page that mimics that of the business, with some even passing on the user’s credentials to the real site seamlessly, leaving the user completely unaware.
While strict security procedures and educating employees are used by organisations to attempt to mitigate the risk of phishing, the only truly effective solution is to deal with the root cause of the problem and eliminate passwords altogether. With passwordless Single Sign-On solutions, spoof sites can’t work, as the Identity Provider will recognise the difference where a human may not. And if employees don’t have passwords, they can’t type them into any unsafe sites, making phishing impossible.
Passwords not only take time to enter, but when they’re forgotten and need to be reset, it immediately causes downtime for the employee and anyone else relying on them. And things only get worse when the problem gets passed on to the IT department.
Up to 40% of all IT helpdesk calls within organisations are for password resets, and each one costs an average of £30 to resolve. With Single Sign-On solutions, replacing passwords with token-based authentication means that they can’t be forgotten and don’t need to be reset, lifting much of the workload off IT departments.
While an individual enterprise may have extremely secure systems, they are ultimately only as strong as their weakest link – and very often, that’s the use of passwords. With employees frequently using dozens of cloud apps, that means a lot of passwords to remember, and that leads most people to deal with it the same way – to reuse passwords wherever they can.
When an employee reuses a password, in or out of the workplace, it only needs to be compromised on one site to be compromised on all. Reusing a password in a personal context, on a less secure site, could see the credentials known to hackers and even published on the dark web. Hackers use these lists of usernames and passwords in attacks known as ‘credential stuffing’ – where known pairs are used to try and gain access to other systems using already compromised details.
However secure an organisation is, if they use passwords, they can always be vulnerable to this type of attack. While most password policies forbid the reuse of passwords, it isn’t realistic to expect employees to remember so many details. With Single Sign-On systems, however, they don’t need to, and the adoption of security and password policies can be firmly controlled by IT departments themselves.
They may not be the most sophisticated method for hackers to gain access to secure systems, but brute force attacks aren’t going away.
In fact, the recent move towards working from home caused by the Covid-19 pandemic is exacerbating the situation. An increasing use of Windows’ Remote Desktop Protocol (RDP) to facilitate homeworking through connecting devices means that more and more ports are open to brute force attacks. These attacks are made even more dangerous by employees using weak passwords in systems that don’t use Single Sign-On solutions and token-based authentication.
While the security risks of passwords are obvious, the user experience often goes neglected. While the amount of time employees spend entering passwords may seem trivial, it quickly adds up for large enterprises, costing millions of pounds of lost productivity each year.
With some Identity Providers executing the process of authentication with no user interface, logging in to a cloud app takes place with just a single click. This not only saves time, but also makes the workflow for employees far more efficient and enjoyable. Efficiency has been one of the main drivers towards cloud adoption, but thanks to the sprawl of credentials and passwords, it can quickly become a security and user experience nightmare without a passwordless SSO solution to manage identities.
Find out more: Passwordless Authentication Explained and How it Works.