This World Password Day, Start Moving Your Org Towards Passwordless Authentication
May 04, 2023
“Passwords are slowly becoming a thing of the past,” said a headline in a popular media publication in 2017. Two years later, Gartner predicted that by 2022, 60% of enterprises and 90% of midsize companies would implement passwordless authentication in more than half of all use cases.
Fast forward to 2023, and passwords have not gone anywhere. Although tech giants and startups alike are busy working on creating a future where passwords are irrelevant, passwords are still the dominant way employees authenticate themselves online. It’s probably going to stay that way for some time yet. Technologies like FIDO2 passkeys are promising, but they’re only at the beginning of the journey toward passwordless authentication. The jury is also still out on whether they will be broadly adopted.
Only 28% of companies currently use passwordless authentication. Of these, just 3% say their chosen passwordless method is resistant to phishing. A quote from security professional Roger Grimes sums up this disconnect: “The whole reason we’re moving people from passwords to something else is essentially to cut off the phishing avenue. And if I can phish you with your passwordless solution, what have we gained?”
Still, even these numbers are encouraging. Eventually, going passwordless will more than likely become a default account security practice. But until that happens, organizations can’t continue to rely on passwords alone.
We need to move away from passwords…
There are two main problems with passwords. The major one is that they create security risks. Another is that passwords also add to IT support’s admin burden.
Passwords are inherently insecure, with stolen or compromised credentials being the main cause of data breaches. This is for a number of reasons, including:
Everyone knows they are supposed to use long, complex passwords, but how many people actually do so? The answer is depressing: not many. Even large companies use passwords that could be cracked in seconds.
According to a recent survey:
68% of companies surveyed use typical weak passwords, i.e., dictionary words, simple combinations of letters and numbers, etc.
32% use passwords that have something to do with the company, like company name, domain, product, and so on.
It’s not just passwords like “123456” and “companyname” that are a problem. Often, employees will use personal information, for example, their spouse’s name or the street they live on, as their password (about one-in-four business leaders use birthdays as part of their passwords).
Although these kinds of passwords use information that should be personal and, therefore, private, the reality is that open-source intelligence (OSINT) sources like social media and data brokers make them just as guessable.
Fear of forgetting their login details prompts employees (including IT professionals) to reuse the same one or two passwords across multiple work and personal accounts.
This means that if one password is compromised, chances are, cybercriminals will be able to access other accounts too. About 8 in 10 users with two or more exposed credentials had the exact same passwords in both breaches.
Whether deliberately or inadvertently, employees often share their passwords with others (family members, colleagues, etc.) For example, in one survey, a third of Americans said they share their passwords with their colleagues.
Password exposure can also happen as a result of security misconfigurations. A few years ago, a security camera company experienced a breach after hackers found a username and password for a “Super Admin” account publicly exposed on the internet. Hackers could then access over 150,000 of the company’s cameras, including those in hospitals, schools, police stations, Tesla factories, and more.
Password managers help improve password security, but as recent breaches demonstrated, they are not foolproof.
Earlier this year, a popular password manager provider LastPass experienced a data breach after a cybercriminal hacked an employee’s computer. At around the same time, another password manager contacted customers about a breach after hackers tried logging into user accounts with credentials compromised on other platforms.
Strong passwords are not invincible. Cybercriminals can use social engineering techniques like phishing and malvertising to trick employees into sharing their passwords. Past research shows that phishing messages that look like a database password reset alert have a near 100% click rate.
In some cases, password manager users may be even more vulnerable than those who rely on their memory or piece of paper to remember credentials. In 2023, threat actors targeted several password managers in Google ad phishing campaigns in an attempt to steal users’ credentials for their password vaults.
Passwords that are difficult to remember or have been stolen/compromised need to be reset, and this is something that takes up a significant amount of IT support time.
One study found that password resets account for between 20% to 50% of calls to the help desk, with each password reset taking anywhere between 2 and 30 minutes to fix. That’s not taking into account the time it takes an employee to reach the help desk in the first place.
When employees have to reset their passwords, their productivity plummets. A company’s bottom line is also impacted—a password reset alone costs $70 in help desk labor.
But passwordless authentication is not quite there yet
Passwordless authentication, which is any method that uses credentials other than passwords to authenticate users, is touted as the natural solution to the password problem.
So why are we so slow to embrace this “passwordless future”?
One of the reasons why is that passwordless authentication is still relatively new. According to Gartner, identity and access management (IAM) leaders looking to replace passwords are not sure what passwordless authentication should look like. Confusion also arises because many so-called “passwordless” solutions still use passwords—users just can’t see them. There isn’t yet a dominant passwordless standard, and that’s a problem.
The fact that most current passwordless authentication solutions are expensive and difficult to set up (for example, how do you implement them on legacy systems?) and are not universally supported (i.e., interoperable between multiple apps and devices), can also discourage many IAM leaders from even attempting to begin their passwordless journey.
IronVest biometric account access protection presents: a bridge to passwordless
We can’t wait for a passwordless future; we need a solution right now.
IronVest’s biometric authentication solution, offers a passwordless-like experience to companies that want to start implementing passwordless authentication into their organizations but still rely on employee-managed passwords to protect key accounts.
Our biometric authentication auto-fills user login credentials (email, password, and 2FA codes) based on their facial biometric information on any website or app at login and provides additional authentication and protection for sensitive activities post-login. This means that even if cybercriminals gain access to employee credentials, they still would not be able to log into their accounts—or compromise your organization.
IronVest also complements any existing MFA methods your organization may already use. Whether it’s phone or email-based MFA passcodes, we can reroute them via a biometrically protected agent. This helps keep employees safe from attacks like SIM swap or MFA fatigue, which are becoming increasingly common.
We don’t stop there. To protect employees’ identities even further, we give them the option of anonymizing and tokenizing their information, including email addresses, phone numbers, and personal and corporate credit cards. Obscuring this kind of data makes it harder for threat actors to take over accounts through malware-infected emails, trick employees into sharing sensitive information over the phone, or conduct credit card fraud.
IronVest is also easy to set up and requires zero integration. All employees have to do to get started is install the IronVest browser extension and download the IronVest mobile app (available on iOs and Android). Set up takes 30 seconds—literally.
Book a demo of IronVest’s biometric authentication AccessGuard today.