It’s time to get used to getting rid of your passwords
In the I.T. world this topic seems to come up every few years. As new technologies surface, and more data breaches are discovered, the topic swirls around and ultimately hits the main stream media and business journals. So here we are again, some years later, and the topic of the death of the password has surfaced again. So why does this discussion come up again and again? And is it something that is finally gaining ground? Or will the topic just die off again only to be recirculated some years later?
Back in the early days of the technology revolution passwords were a great way to prevent access to data and systems. Individuals had their accounts, and their access, and protecting it was straight forward. As technology advancements continued, and access to systems became more mobile and interconnected, the I.T. world quickly realized protecting data had evolved, and become much more challenging. This led to a question on the plausibility of passwords for security, and ultimately led to the obnoxious password policies we have in place today. Things like password length, and adding numbers and characters, changing your passwords often, and not repeating the same password, etc., etc., I’m sure you get the point.
The fact is, passwords are not a good way to protect data, and the increasing complexity in password policies is proof the system is breaking down. But why are we talking about this again now? What has changed in the last 5 or 6 years that caused this resurrection of the “passwords are dead” conversation (<- see what I did there)? Well, we think it comes down to four major tipping points.
Tipping point one: Passwords are hackers holy grail
According to a study by Verizon, out of over 900 phishing attacks studied, 91% were targeting the gathering of credentials. Which is no wonder given in that same study 63% of data breaches were caused by weak or stolen credentials. In another study in 2018 by TraceSecurity, 81% of the company data breaches studied were due to poor passwords. In 2013 Google started a process to eliminate passwords internally, and even said startups today that use passwords as the only method to protect data will go out of business. They additionally went on to partner with DashLane to create a YOLO (You Only Login Once, not the other YOLO!) initiative to help eliminate the sole dependence on passwords as an authentication and data protection mechanism. With passwords being such an easy method for hackers to get access to accounts and data, it is becoming a cause for concern everywhere.
Tipping point two: Passwords are a pain in the a$$
Seriously, does anyone like passwords? It seems like we all need a password for almost every company we have any relationship with. Not to mention all the ones we use for our jobs as well. Personally, I have well over 100 passworded accounts I need to manage. Now add the fact that everyone is requiring more complex passwords and requiring them to be longer and longer. It’s a pain.
It’s this pain that has been a driving force in the recent password manager craze. And although using a password manager is something we really, really strongly recommend, it doesn’t actually solve the issue. It only masks it by helping people generate and store more complex passwords, and also automate some of the login processes on web sites and mobile apps. The issue of hackers using passwords as their number one method of getting at data is still a threat. And using different passwords only slows down their efforts.
Here are some tips for being more secure with your passwords:
Tipping point three: Mobility taking over the financial world
This has been a long time coming but has gained ground dramatically in the last 4-5 years. Consumer demand is driving the digital evolution of financial institutions. And what’s at the top of their priorities, more digital, more mobile. Not only that, but consumers have gained a ton of confidence in handling financial transactions through tech companies like Apple and Google’s Alphabet, Inc. All this leads to more online transactions, and more financial services companies moving into the digital realm. This alone is not surprising, but there is also acceptance now in the financial world that passwords are not a secure method to protect data. Take Visa for example, in April of this year they started their plan to phase out static passwords for their Verified by Visa online fraud control service. Even the European Commission brought the PSD2 online January of this year that requires strong customer authentication (SCA) for financial transactions (which, fyi, is more than just a password). With the growth of online transactions, and the financial industry getting sick and tired of loosing ridiculous amounts of money from online hackers, we are seeing a strong push to kill the password once and for all.
Tipping point four: Infrastructure no longer a barrier
With any change that has societal implications, and believe me this does, there needs to be the correct infrastructure in place. Up until the invent of the iPhone 5s, consumers never really had access to biometric devices for personal use. Interestingly enough the iPhone 5s fingerprint reader was what sparked the last wave of “the password is dead” conversations. But back in 2003 the infrastructure was nowhere near where it needed to be to have an impact on the movement. Since then other behemoths started adding sensors and biometric reading software to their devices. This brings us to where we are today; most smart phones have the ability to biometrically verify users. It’s worth keeping in mind, not all biometric scanning is the same, but it is still way more secure than passwords.
Additionally, almost all Americas have smart phones already, and the largest group that does not own a smart phone are the least likely group to be impacted by online financial transactions. The 65+ group with an income less that 30K annually have little to no involvement in the movement, whereas the 18-29 age group, along with the 30-49 age group are leading the push for adoption, and will most likely convert to a new authentication mechanism well before any other group. And with the overall average of Americas with a smart phone being at 77%, we are only a few years away from biometric scanning being within reach for all Americans, regardless of their demographic grouping, or interest in online transactions.
So what comes after passwords?
Ultimately biometrics will replace the password, but only in combination with another authentication method. This is commonly referred to as Muti-factor Authentication (MFA). Currently MFA relies on a username/password in combination with something that only you know or have possession of. Commonly this would be a cell phone. In the future the password requirement will drop and be replaced with biometric verification. The scenario will look like the following:
- You would go to a website as normal and put in your username
- An alert would be sent to your phone asking you to authenticate
- You scan your iris, or fingerprint, or face, and are authenticated
- The website allows you access with no password required
Given the usability of software today, this method will most likely be easier, and save more time than the current process. Additionally, it will be much more secure as it requires not only your biometrics to verify, but also your phone in your possession. There are other concepts for strong authentication, but given the tipping points above, this is the most direct and probable path.
The real driver of change
Although everything about is causing momentum, the real way to predict change is to map out where the pain caused by doing nothing crosses over the threshold for the pain felt to change. We are very close to that point. Certain industries and governments have already started the push, and many more will follow in months, not years. The question is no longer “if” but instead “when”. We have the want, we have the need, we have the infrastructure, we have the technology, and we have giants like Google, Apple, various banking institutions, credit card processing companies, and governments already pushing the initiative. Personally, I can’t wait to never have to use a password again!