Let’s face it, nobody likes passwords, but now that everything we access exists online, they are hard to escape. As organisations look to consume more SaaS applications and cloud-based services, they will be faced with not only new security risks but also increased costs: 20% of support calls are about forgotten passwords. At a time when digital identity has never been more important, could we be contemplating the possibility of passwords being a thing of the past?
As we’ve seen in the news, people will often create the simplest password they can get away with to make it easier to remember. The drive to keep us secure is now in itself a security risk. Here’s some advice from one security website I found ‘a phrase like “security breeds success” can become a password of “S3curityBr33d$Succ3$$” ‘. Brilliant, thanks for that. I’ve typed my password in 15 times today and it’s only 2pm. A BBC article, in 2004, revealed that more than 70% of people would tell someone their password in exchange for a chocolate bar. Now that is a long time ago and most people are more aware now, but phishing remains the easiest way to gain access to account information, largely in more sophisticated ways than bribery through Lion bar but the outcome is the same.
The proliferation of systems we authenticate to every day means multiple usernames and passwords, which has led to Identity Access Management (IAM) being a major focus for our customers. IAM solves the problem through single sign-on but the importance of that single password then becomes even greater. You can, of course, add another layer of security by implementing multi-factor authentication (MFA) but let’s be honest no-one likes that either. By that I mean no-one likes traditional MFA, where you end up having to remember a password, a PIN and carry a hardware token around with you. Multi-factor is the key to this problem, we must just implement and view it differently.
Consumerisation influences all areas of IT. Our expectation has become that how we use technology at home should be reflected in how we use it at work. Vendors appreciate this and have benefited by trialling products in the consumer world to gain experience before bringing it into organisations.
We love the fact that we can use our fingerprints, or face, to authenticate to applications on our smartphones and it’s that user experience that we have started to expect at work. Websites, however, can be accessed from any device and so need a different solution. Those solutions are now being trialled by companies like Microsoft and Google. Both of whom allow you to access services using only your phone as a source of authentication. I can’t remember the last time I used my password to access my Outlook account from a device that I trust. In fact, I’m not even sure what my Outlook password is.
In business-to-employee security, organisations are starting to adopt Windows Hello for Business to alleviate the password problem but a barrier to adoption will be a reliance on the hardware required to support it. It also requires everyone to be running a Windows Operating System which goes against the trend of increasing device choice. Solutions that make use of smartphone technology are agnostic of primary device, they also benefit from often being more up to date than many people’s laptops and something your unlikely to ever be very far from. This should make us consider the additional use cases and possibility of allowing business-to-business and business-to-consumer transactions to have a similar simple and secure mechanism to enable people to prove who they are. This would truly digitise many traditional businesses and services, from mortgage applications, to insurance services, money transfers, and more.
The traditional view of authentication is based upon three common factors; something you know (your password), something you have and something you are. Biometrics, along with industry standard authentication specifications (like WebAuthn and FIDO2), can remove the inconvenience of that first factor thus delivering an enhanced user experience, while reducing cost and simultaneously improving security.
Just imagine for a moment that you’ve just changed your Windows password for the last time. Picture never having to click a ‘reset my password’ link ever again. It’s a lovely thought and the reality is not that far away. Until then try taking a phrase from your favourite film, replacing various letters with numbers, adding some random capitals and try to squeeze an ampersand in somewhere just to be on the safe side. Don’t forget to repeat that across all your accounts and be prepared to make changes every 60 days.