If you think that passwords are one of the fundamental pillars of modern security, then you’re absolutely correct. The problem is that this pillar is so full of cracks and other structural weaknesses that even a small gust of wind can send it tumbling to pieces.
Instead of strengthening it by enforcing strict password requirements, many cybersecurity experts believe that the time has come to get rid of passwords entirely. The alternative they propose, passwordless authentication, promises to make it much more difficult for malicious attackers to obtain access to sensitive data without making end-users less productive.
Best of all, passwordless authentication isn’t some theoretical framework whose practical implementation would be difficult at best. It’s a real solution that organizations of all sizes can implement without much effort to address some of the biggest IT management challenges of our times.
Passwords Belong in the Past, Experts Agree
In theory, passwords should be able to reliably stop unauthorized users from gaining access to protected resources.
For example, a randomly generated password consisting of 10 lowercase and uppercase letters, numbers, and special characters would take about 10 million years to crack—long enough for even the most determined hacker to move on and find an easier target.
In reality, compromised passwords are responsible for 81 percent of hacking-related data breaches, according to the Verizon Data Breach Investigations Report. How’s that possible? The answer is simple: users are terrible at using passwords safely, frequently committing the following cybersecurity sins.
- Reusing the same passwords across multiple websites and applications
- Using passwords that are too easy to guess or crack
- Sharing passwords in plaintext form with colleagues and friends
- Storing passwords in an unencrypted manner, such as on sticky notes
- Failing to change their passwords after data breach incidents
Because users and password best practices are like water and oil, and because alternative authentication methods have finally become readily available, increasingly many experts are saying that it’s time to leave passwords in the past.
Toward a Passwordless Future
Recently, more and more experts have begun advocating against the use of passwords even as an authentication factor in multi-factor authentication (MFA) schemes, which require the user to provide two or more pieces of evidence during the login process.
In the passwordless future they envision, users are still required to provide two or more verification factors, but the traditional password isn’t among them. Instead, the factors fall into the following categories:
- Something the user knows (such as a verification PIN generated by the Microsoft Authenticator app)
- Something the user is (such as biometric information captured by Windows Hello for Business)
- Something the user has (such as FIDO2 security keys or a cryptographically strong credential bound to the client hardware itself)
Thanks to new authentication standards like Web Authentication API (WebAuthN) and Fast Identity Online (FIDO2), passwordless authentication using the above-listed verification factors is now supported across different platforms, software applications, and devices.
What Are the Benefits of Passwordless Authentication?
The most obvious benefit of ditching passwords in favor of alternative verification factors is the ability to achieve a higher level of security. When users are not required to create, remember, and use passwords, issues with password reuse, sharing, and storage instantly disappear.
What’s more, users quickly discover that logging in to different websites and applications is much faster. Considering that the average business employee must log in with 191 passwords, even a few seconds of saved time per login attempt can add up to a large number during the course of the year, especially since more secure (=complex) passwords are more difficult to enter correctly on the first try.
But lost time is just one consequence of unsuccessful login attempts—increased IT expenses are another one. The Gartner Group states that 20 to 50 percent of all IT help desk tickets each year are for password resets, so getting rid of passwords is an excellent way for organizations to reduce their IT support costs.
Getting Started with Passwordless Authentication
The two biggest obstacles that organizations interested in the benefits of passwordless authentication must overcome are legacy protocols and resistance to change. The former can be addressed by embracing cloud-based business solutions, while the latter is usually a matter of educating employees on the new authentication method and its value. Thanks to companies such as Microsoft, which has recently made it possible for users to remove passwords from their login process and go fully passwordless, getting started with passwordless authentication doesn’t require a large investment in time and money.
At Help Desk Cavalry, we have years of experience with the limitations of traditional passwords, which is one reason why we’re excited to work with all organizations that are not afraid to implement innovative authentication methods as a way to strengthen their cybersecurity.
If that description sounds fitting, then contact us today to speak to a real live person about going passwordless. It’s probably easier than you think.