Passwordless

World Password Day – the first Thursday of every May – exists to remind people of the importance of protecting themselves when online by using strong passwords. Cybercriminals grow increasingly bold and sophisticated in their methods. As a result, concerned users are adopting modern cybersecurity paradigms. Passwordless solutions provide better data security than conventional passwords. Ironic, but true.

Most data breaches are the result of credential theft. Simple passwords make companies more vulnerable in brute force attacks, which involve cybercriminals trying millions of possible passwords in just seconds. Credential stuffing is a type of cyberattack that involves cybercriminals purchasing stolen account user names and passwords off the dark web and trying using them to try to gain unauthorized access via automated login requests. These are especially successful when people reuse old passwords.

Password Security Strategies

Like a car thief who checks doors for one that is unlocked, a cybercriminal wants the easiest route possible into a company’s data. Tight online security within the company is a major deterrent. For companies that insist on relying on passwords for online protection, there are strategies to make them more secure.

These include using:

  • Unique passwords for each site or app. For example, do not use the same password to log into your project management app as you use for a social media site or a banking site.
  • Phrases rather than a more standard one- or two-word password (think “To be or not to be” rather than “Hamlet”).
  • Shortened and memorized versions of a favorite phrase, like 2Bor!2b?
  • Passwords randomly generated and suggested by your browser.

If you access the site on the same browser on your computer or have it linked with other devices, you will not need to enter the password every time. However, you must ensure it is a strong password.

  • Three or more unrelated words together, like SapphirePuzzleMongoose
  • A notebook to store passwords. Just make sure to keep it in a separate place from your desktop or laptop. No passwords scribbled on a scrap of paper and slid under your keyboard or stuck in your top drawer.
  • An online password manager to store and manage online credentials.

Even if you take these measures, the danger is not alleviated. The reality is passwords are no longer sufficient to combat attacks from bad actors. As such, there are several significant reasons to embrace alternatives to passwords. Here are three reasons to consider moving to a passwordless strategy.

#1 Reason for Passwordless – People hate them

Like filing their taxes, creating, and managing passwords rank high on the list of activities people love to hate. Requiring that employees keep and maintain passwords can lead to frustrated employees. This is especially true if they must change them every 60 to 90 days. Passwords also probably are not popular with vendors, customers, and partners that need to access your site. And they create headaches for the business too. After all, there are costs and complicated processes to consider. These are associated with developing, deploying, and managing a repository to keep user passwords secure. For instance, the average help desk cost to reset a user’s password is $70.

#2 Reason for Passwordless – Passwords are a Weak Link

In fact, 80% of data breaches resulted from hijacked and misused passwords. The typical user has dozens of online accounts and 51% of their passwords are reused among the accounts. Lost business can also be a negative consequence of passwords, with one-third of online purchases given up when consumers cannot remember their passwords.

Arguably, user names and passwords are the weakest links in your cybersecurity program. Password fatigue can lead employees to make unwise choices, such as creating weak passwords they can more easily memorize or re-using a password for multiple sites, which can increase the company’s risk.

#3 Reason for Passwordless – Modern Challenges Require Modern Solutions

Passwords have been around for decades but so much has changed in that time. With the surge in mobile phone use, the subsequent proliferation in the number of apps, and increase in data stored in the cloud, cybercriminals have new endpoints to attack and more incentive to launch attacks. Plus, there are many more cybercriminals now – even working in groups – to worry about.

When companies sent their workforces home to work remotely in 2020, we saw how even the most technically savvy companies can be challenged by new circumstances. The number of potential security attack surfaces increased, making remote workers targets of attacks. Situations can change fast so companies must remain agile in all aspects of their business, including cybersecurity, and be prepared for the unexpected.

How to Shift to Passwordless

Companies have a few major passwordless options for identity authentication if they evolve from passwords. Make sure any security method you use is scalable. Biometrics authentication verifies identity by unique physical identifiers – like a fingerprint or facial scan – to assess if the proper person is requesting access. These physical characteristics are the ultimate in unique credentials and cannot be duplicated.

Some software vendors have aided the shift via the introduction of operating system authentication. Accessing the business software takes two-factor authentication instead of a password and involves a new kind of credential associated with a PC or mobile device.

Another option is passwordless authentication. You may be familiar with multi-factor authentication, or MFA, which requires traditional passwords. With this method, a person enters a user name and a password to request access. Thereafter, an email, SMS, phone, or a smartphone app sends a verification code. They then enter the code to gain access. While more secure than using only passwords, this takes extra steps and creates additional friction for customers, partners, and employees.

Passwordless authentication simplifies and speeds the process. Users no longer need to remember passwords and can use any device, service, or application, including VPN, VDI, cloud, mobile, and web. The right standards-based approach for logins can be secure and interoperable across any website, application, device, and supply chain. And the best way to manage this approach – including modern authentication methods like security keys, facial and voice recognition, fingerprints, smart cards, key certificates, and apps for access tokens – is with centralized authentication.

Free yourself from passwords

Simeio supports more than 100 organizations in streamlining, simplifying, and saving costs in their digital transformation engagements. We are passionate about helping companies secure their data and increase the confidence of the people who entrust them with it. Our modern access management solution with passwordless administration can help boost security, decrease cost, increase agility, and reduce user friction. Modernizing your IAM program can help your company realize these benefits. Learn how our team with its expertise has made it happen!