3 reasons passwords need to die in 2020
The headlines still haunt me.
May 7, 2020 marked "World Password Day," the kitschy, but pertinent annual reminder to clean up the logins that control access to our modern lives. For days, titles like "Time to Prioritize Passwords" and "Tips for Managing Your Passwords" popped up in newsfeeds and tips from experts flooded in. "Vigilantly change your passwords" and "use a different password for each account" they said, as if new configurations of characters and symbols were cures rather than curbs to cyberattacks. The problem is passwords don’t protect us anymore. Gartner predicts that by 2022, 60 percent of large businesses and nearly all medium-sized companies will have cut their dependence on passwords by half. But with COVID-19 requiring many of us to work from home in insecure environments, 60 percent is not enough, and 2022 is too late.
Why We’re Still Using Passwords
Surely this isn’t the first time you’ve read about why we need to eliminate passwords. Security experts are deeply familiar with their flaws and have called for a moratorium on passwords for years. Why, then, are they still very much alive?
The answer is fear and procrastination. Companies that store our data aren’t prioritizing passwordless authentication because it feels like a chore to tackle down the road. Today’s password systems, while weak, are inexpensive, easy to create and easy to continue embracing because we all understand how they work. Executives fear that it will take too much time and cost to implement new security measures, and -- gasp -- people are scared to shake up the status quo. But they have to, and fast if they don’t want their name to appear in other popular headlines these days like, "Company Confirms Data Breach."
Why Passwords Need to Die
- Passwords are a hackers’ dream. Let’s be honest, no one creates a unique password for every online account. The average person reuses each password as many as 14 times. So it’s no surprise that Verizon’s 2019 Data Breach Investigation Report found 80% of all hacking-related data breaches involve stolen passwords. It’s bad when a consumer’s personal data gets hacked, and exponentially worse when it’s the corporate password vault. Those passwords are a hot commodity on the dark web -- and because people reuse passwords, it’s like directly handing a hacker your credit card information.
- Passwords are to blame for lost revenue. Ecommerce sites have less than a minute to capture a prospect’s interest in whatever it is they’re trying to sell. Included in those sixty seconds is the time it takes to register the user. Just the other day, I was ordering flowers online for my mother. The interrogation started at checkout with having to register and provide too many details about myself. It was too time consuming -- I dumped my cart and bought flowers at the grocery store. There is a direct correlation between user experience and revenue. If a site makes it difficult to register and sign in, users will spend less time with the site -- or perhaps never return.
- Passwords are costing precious time. Ah, the dreaded password reset since you have at least 10 possibilities. The time spent trying to wait for a reset email, SMS confirmation, and exercise of having to decide which password to reuse this time is beyond frustrating. With a passwordless system there are no passwords to reset, remember, or get hacked. Account take overs are eliminated, no more potential disasters and even less exposure to liability.
Why It Can End Today
The secret to ending passwords for good lies with something that 3.3 billion of us carry every day: our smartphones. Smartphones today are equipped with technology to securely validate who we are, which creates new authentication approaches for users to simplify how they access a website. Beyond accessing a website, users need to know they are accessing the correct website being assured that they are not being speared and knowing that no one is in the middle listening to their connection. This process of the user authenticating the server and the server authenticating the user is called Full Duplex Authentication.
The most sophisticated authentication systems use three factors to validate the user, insuring they confirm these factors: "something you have, something you are, and something you know".
Smartphones serve as the "something you have" secure token. While biometrics, whether by fingerprint, facial recognition or soon, retinal scan, provide the "something you are." The remaining factor, "something you know," is your username or social identity. The ability to use one of the most secure user authentication tools can be easily provided via a downloadable app.
Downloading such an app can be made easy through a QR code displayed on the website. Once scanned, the download is automated and the initial registration process begins. Every time the user revisits the site, a unique image and number appears on their phone. The user confirms the image and number on the website with the one on their phone, completing a robust, three-factor verification. Poof! It’s that easy.
While smartphones can make eliminating passwords easier, an airtight connection is still necessary to stop impersonations. If the connection between user and website isn’t impenetrable, easy verification alone won’t solve the problem because perpetrators can stage man-in-the-middle attacks. Solution providers must adhere to the highest levels of authentication. Put simply, the site knows it’s the user -- and the user knows it’s the site.
This might feel like a bold move, but users want a fast, easy and secure alternative. Now it exists. It is time for a change in the process on the front end to create a better user experience and stop the password headache for good.
Let’s end this password nonsense now.
John Hertrich is President and Chief Executive Officer of Identité, a security company focused on making authentication simple, secure and passwordless.