Are the days numbered for ‘123456’? As Microsoft further nudges the world away from passwords, here’s what your organization should consider before going password-free
Authored by Phil Muncaster, guest writer at ESET
For such a clumsy-sounding word, “passwordless” actually promises to make life a lot easier – for both users and security teams. It offers the tantalizing prospect of cutting admin costs, enhancing productivity and reducing cyber-risk. And yet, despite these eye-catching benefits, uptake in both business-to-consumer (B2C) and business-to-business (B2B) environments has not been as strong as one might have expected.
However, when the world’s biggest software company decides to back a new technology approach, it’s time to take notice. Microsoft described passwords as “inconvenient, insecure, and expensive” quite a while ago; fast forward to March of this year and the company introduced passwordless authentication for business customers. In September, Microsoft announced that it would be extending support for all users. You might say that the era of passwordless authentication is finally here.
Passwords have been around for about as long as computers. Their demise has been predicted many times. And yet, they’re still here, securing everything from corporate applications to online banking, email, and e-commerce accounts.
The problem is that we now have way too many of these credentials to manage and remember. One estimate suggests that 57% of US workers have scribbled corporate passwords on sticky notes. And the number is growing all the time as we expand our digital footprint. One October 2020 estimate claims that the average person has around 100 passwords, nearly 25 percent more than before the pandemic began.
From a cybersecurity perspective, the challenge with passwords is well documented. They provide attackers with a increasingly easy target to steal, guess, phish or brute force. Once they have these in their possession, threat actors can masquerade as legitimate users, waltzing past perimeter security defenses and staying hidden inside corporate networks for much longer than would otherwise be the case. The length of time taken to identify and contain a data breach today stands at 287 days.
Password managers and single sign-on offer some form of redress for these challenges, storing and recalling complex passwords for each account so users don’t have to. But they’re still not universally popular among consumers. The result? We reuse easy-to-remember credentials across multiple accounts, exposing consumer and corporate accounts to credential stuffing and other brute force techniques.
It’s not just about security risk, either. Passwords require significant time and money for IT teams to manage and may add extra friction to the customer journey. Breaches may require mass resets across large volumes of accounts, which can interfere with the user experience in B2B and B2C environments.
In this context, passwordless authentication offers a major leap forward. By using an authenticator app with biometric security such as facial recognition, a security key, or even a unique code sent via email/SMS, organizations can, in one swoop, eliminate the security and admin headaches associated with static credentials.
By adopting this approach for B2B and B2C operations, organizations can:
However, passwordless is not a panacea. There remain several barriers to adoption, including:
As the post-pandemic era begins in earnest, two trends will shape the future of passwordless adoption: a surge in the use of consumer online services and the emergence of the hybrid workplace. With the mobile device at the center of both, it would seem to make sense that any corporate passwordless strategy start here.