Letβs Be Bold and Eliminate Passwords Forever
By John Hertrich, CEO at IdentitΓ©
The list of people in the world who like passwords is awfully short. Yet as a means of verifying user identity, passwords hang on, frustrating users and exposing huge IT vulnerabilities. Why?
A decade ago, the average person used perhaps ten websites that were password protected. Within a few years that number tripled. Today, especially with more of us working, learning and shopping online than ever due to the COVID-19 pandemic, people are expected to keep track of passwords for hundreds of websites.
Itβs clear that virtually no one creates and remembers a different password for every site. The average person reuses each password as many as 14 times. The sheer multitude of sites requiring passwords forces some amount of repetition. This not only creates a security problem for the user, but also puts companies at risk.
According to the 2019 Data Breach Investigation Report from Verizon, 80% of all hacking-related data breaches involve stolen passwords. If a corporate password vault gets hacked, the passwords within are shared with the dark webβand because people reuse passwords, it gives thieves a virtual passkey to everything from bank accounts to credit cards.
The commercial drawbacks of passwords are evident as well. Industry standards in web marketing recognize that ecommerce sites have less than a minute to capture a prospectβs interest in whatever it is theyβre trying to sell. Included in those sixty seconds is the time it takes to register the user. Whatβs more, when they return, they will need to authenticate. How many of us have given up on purchasing a product because we canβt locate the password or be bothered to login? I know I have.
Nearly every study on website effectiveness and customer satisfaction comes to the same conclusion: there is a direct correlation between user experience and revenue. If a site makes it difficult to register and sign in, users will spend less time with the siteβor perhaps never return.
Better Alternatives
If passwords are the bane of the internet, why havenβt they been retired? Two words sum up much of the reason: simplicity and security.
Until recently there hasnβt been an easy way for people to commit to the ultra-strong βsomething you know, something you have, and something you areβ standard. Today all three can be satisfied through something that 3.3 billion of us carry every day: our smartphones.
Smartphones serve as the βsomething you haveβ token, which can be supplied by a free smartphone app. Biometrics, whether by fingerprint, facial recognition or soon, retinal scan, provide the βsomething you are.β The remaining component, βsomething you know,β which is a username or social identity.
Downloading such an app can be made easy through a QR code displayed on the website. Once scanned, it can automate the download and initial registration process. Then, each time the person revisits the site, a unique image and number appears on the phone. The user is asked to confirm the image and number on the website with the one on the phone, completing the robust, three-factor verification. Single device experience is further optimized because you are not leaving the phone or the authentication is incorporated into the app with an SDK.
Smartphones can make eliminating passwords easierβbut an airtight connection is still required. If the connection between user and website isnβt impenetrable, easy verification alone wonβt solve the problem because perpetrators can stage man-in-the-middle attacks. This means solution providers must adhere to the highest levels of authentication. Few providers satisfy military grade NIST AAL3 requirements, which states the solution must be resistant to impersonation. To achieve that level of authentication and beyond, the solutionβs server must authenticate to the userβs app, and the app must also authenticate to the server. In short, the site knows itβs the userβand the user knows itβs the site.
Time to Begin
Thereβs a final reason why passwords are still with us, however: companies need to commit. If this paradigm is going to shift, individual sites must offer a passwordless system as the only way for users to register. People need to be compelled to experience the simplicity, convenience and peace-of-mind that comes with an alternative system.
This might feel like a daring move but think of the benefits. Users want a fast, easy and secure alternative. Now it exists. By making good use of the technology available to us, we can combine all three factors of authentication without the use of passwords. This option wasnβt available to us five years ago.
Simplifying your site offers an immense advantage over the competition. It also lowers costs and streamlines operations. The majority of calls to customer service, for example, involve password resets. With a passwordless system there are no passwords to hack, no more potential PR disasters and even less exposure to liability.
As an industry, we must change the status quo. Gartner predicts that by 2022, 60% of large businesses and nearly all medium-sized companies will have cut their dependence on passwords by half.
60% is not enough. It starts with each individual company and each website. It must begin with those who are bold enough to embrace a better way. And it must start today.
JOHN HERTRICH is President and Chief Executive Officer of IdentitΓ©, a security company focused on making authentication simple, secure and passwordless.