Too many people are lazy when it comes to password management — this should be no surprise to most of us. Since the dawn of digital authentication, users have been known to recycle passwords across accounts without a second thought. As more accounts requiring passwords have come about, and as password requirements became more stringent, it was too difficult to remember them all. So, we stuck with what we knew and changed them only when required.
This system of password management may have sufficed two decades ago, but today, passwords are a major commodity on the Dark Web. Passwords are stolen in data breaches and sold; combined with your username or email, stolen passwords can give cybercriminals the key to massive stores of both corporate and personal data. And breaches conducted with legitimate credentials are difficult to detect — so it’s no wonder password theft is so popular.
Patching Password Management Mistakes
Today we have a relatively sophisticated understanding of how vulnerable our passwords are and the need to adopt better password management. Yet according to research by OpenVPN, a quarter of employees use the same password for all access points, 17 percent admit they use the same password for at least six different accounts and just under half of respondents use the same password for three accounts.
Clearly, old habits die hard, but this particular bad habit could result in identity theft or financial theft for an individual or cost an enterprise millions of dollars in fines, reparations and lost business. It’s also why an increasing number of IT and security decision-makers are searching for new, password-free identity and authentication management systems. But are we ready for a password-free world?
Pushing for Password-Free Authentication
There is a growing push to move away from password-based authentication and use other methods to establish digital identity. The Fast Identity Online (FIDO) Alliance, for example, is creating standards designed to supplant the need for passwords. In theory, it’s a good idea; in practice, it can be complicated. If you eliminate passwords, what do you replace them with? And with what will you bind the authentication factor — the device or the user? Then, how do you re-establish the digital identity of users already within the organization? Finally, what happens if that authentication method fails? What’s the backup plan?
Passwords authenticate access to networks, software and databases, but they also provide a level of security, even if that security layer is increasingly poor and inefficient. This is why speakers and panelists at the Identiverse 2018 conference stated the need for security in any authentication method considered for a password alternative.
They stressed, however, that users will balk at any method that requires too many steps. After all, users fail at password management because they want the process to be as simple as possible. Remembering dozens of unique passwords is too inconvenient; it’s easier to use the same one over and over again, even when we know the risks involved. Nor is there going to be a one-size-fits-all solution. Different users will make different choices depending on the device and the situation. That’s why there’s a need for more differentiators in each use case.
Applying New Methods to Old Habits
There is evidence that we choose the familiar over the safer methods. Biometric authentication seems like an obvious choice to replace passwords. According to the OpenVPN study, “Seventy-seven percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes.” But barely more than half will use biometrics as their availability increases.
And we aren’t just eschewing biometrics. IBM’s recent Future of Identity Study showed that only 28% of the general population would enable factor authentication on their accounts in the wake of a data breach.
Companies are offering password-free authentication options, such as the Universal Second Factor (U2F) security key or smartphone applications that use dynamic authentication options. While IT and security professionals embrace these password-free options, it remains to be seen when — and whether — the average user will make the switch.
Despite the more secure authentication methods available, passwords aren’t going anywhere anytime soon. Users are familiar with them, so they trust passwords more than other options. And as long as they are using passwords, they are going to continue to practice poor password management. Getting users out of old password habits will take time. Instead, slowly introduce new authentication methods and give users a chance to make new security best practices their new routine.