Pagoda Blog

For most of us, when we think of cybersecurity we automatically think of passwords. A password is how we protect most, if not all, of our accounts and yet, we’re still not very good at creating strong passwords or storing them securely. According to a 2021 survey conducted by security.org, more than 2 in 3 people reuse passwords across multiple accounts, less than half feel their passwords are secure, and only 37% use a secure password manager to store their passwords. (Fun fact: 42% of survey respondents used curse words in their passwords. Seems quite fitting for 2021, don’t you think?)

 

Too many of us simply employ terrible habits when it comes to creating, updating, and storing passwords. We use short, easily cracked passwords that include personal, easily identifiable information like our date of birth and street name. We use the same password across multiple accounts. We fail to implement two-factor or multi-factor authentication, and we use storage systems for our passwords that put our data at risk. According to a survey run by the Digital Guardian, 39% of respondents remember their passwords by writing them down on a piece of paper and only 28% use a secure password manager.  

 

This brings us to the big question: Are passwords actually making your business more secure or putting your data at greater risk? 

 

The risks of using passwords 

It’s clear that password security has quite a few vulnerabilities. This is because it invites multiple opportunities for human error. Even if you regularly train your entire team in cybersecurity (as you should), you can’t control every variable or account for every possible misstep a team member might make.  

 

According to the 2021 Verizon Data Breach Investigations Report, 61% of breaches in 2020 used unauthorized credentials, namely passwords. This is in part because we simply have too many accounts to keep track of — on average, more than 200 — leading us to create weak (but easily memorable) passwords and reusing them many times over. 

 

In addition, many companies and websites require users to frequently change their passwords, compounding the problem of reusing weak passwords and leading users to write them down in risky places like sticky notes, Google Spreadsheets, or inadequately protected smartphone apps. 

 

With the many problems that using passwords presents, there has to be a better solution — right? We already recommend using 2FA or MFA across accounts to avoid only relying on a password to protect your data. The next step, however, may be going entirely passwordless. 

 

So what exactly does it mean to go passwordless and how does it work? 

 

What does it mean to go passwordless? 

Passwordless authentication uses any method other than a password to verify the identity of a user. These other methods include facial or fingerprint recognition, a device identifier, or adaptive MFA. There isn’t yet a specific technology associated with passwordless authentication but according to PingIdentity, it “is a goal or desired outcome.”

 

“The objective of passwordless authentication is to provide technologies and support use cases that reduce—and potentially eliminate—the use of passwords. This is an important goal because using passwords presents well-known usability issues and security risks.” 

 

It’s important to keep in mind that the end goal of going passwordless is to improve security, not compromise it in any way for the sake of convenience. This means that as you start eliminating the use of passwords, you must replace those passwords with a method of identity verification that is even more secure. 

 

Two methods for passwordless authentication

There are two methods for achieving passwordless authentication: Inherent factors and possession factors. An inherent factor is the use of something you are for identity verification, such as your face, fingerprint, or voiceprint. These are also called biometric factors. A possession factor is the use of something you have for verification, such as a verification device like a token or your email or smartphone. 

 

There is a third method of verification called a knowledge factor. This refers to something you know, like a PIN, the answer to a security question (e.g. the name of your first car or job) or a traditional password. Knowledge factors are all basically a form of password and can be easily forgotten, stolen, or hacked so they aren’t used for passwordless authentication. 

 

Pros and cons of passwordless authentication

No longer having to keep track of dozens of passwords sounds pretty appealing, right? While going passwordless is the way of the future there are still some pros and cons to weigh before making the switch. 

 

Pros of passwordless authentication

As you can imagine, there are several very convincing pros for going passwordless. These include increased security, an improved user experience, and potentially lower costs from an IT perspective. 

 

Increased security 

As outlined above, passwords come with quite a few vulnerabilities. Moving towards eliminating passwords has the potential to significantly increase the security of all your accounts, mitigating the risk of a data breach.  

 

Better user experience 

Forgetting your password and being forced to reset it before gaining access to an account is incredibly frustrating. It also wastes valuable time, lowering productivity, and slowing down operations. A better user experience is also important for your customers — if you ask customers to create an account through your website, any way you can reduce the friction during that sign-up process will increase the number of leads who follow through and continue using your service.    

 

Fewer hassles = lower costs for IT 

Every time your IT team or help desk has to deal with resetting a password, it takes time and costs money. Passwordless authentication promises to reduce the need for help desk support when it comes to resetting account passwords and helping users regain access to blocked accounts. It could also lower IT-related costs by mitigating the risk of a data breach. Fewer breaches means less time spent on recovery and damage control. 

 

Cons of passwordless authentication

Passwordless authentication is still a new approach to identity verification and, like any cybersecurity strategy, it’s not perfect. The biggest downsides we see to eliminating passwords include higher costs up-front, troubleshooting (when necessary) is more complicated, and resistance to change among employees and customers. 

 

Higher costs in the short-term 

When you first implement passwordless authentication, you will have to invest in new technology to utilize inherent or possession identification methods. You may need to buy verification devices for all your employees, such as a verification key, token, or dongle, or purchase software to utilize smartphone-based authentication apps. 

 

More challenging to troubleshoot 

With passwordless authentication, users should in theory get locked out of their accounts less, reducing the need for tech support. It is, of course, possible for users to lose their verification device or to get locked out of the email or phone required to access a verification code sent through an app. In these cases, the steps required to regain access to the account can be more complicated and time-consuming. Your IT team should always have a backup plan or workaround in place (such as extra verification devices on hand) to prepare for these unlikely scenarios. 

 

Resistance to change or adoption hesitancy 

When you introduce a new technology or just a new way of doing things, there will inevitably be some resistance. People have grown very accustomed to using passwords and it’s a familiar form of identity verification — even if it’s highly risky and inconvenient. When unrolling a passwordless authentication policy, transparency around why you are implementing this new policy is paramount as is ensuring you give employees, customers, and your IT team time to adapt and fully adopt a new way of accessing all their accounts. 

 

Should your business eliminate passwords?  

Going passwordless should be approached in several phases over a series of months. As with any cybersecurity strategy, it’s important to take the time to educate your team about the upcoming change and prepare them for the shift. Even if you’re not ready yet to retire passwords, passwordless authentication is a smart future objective for any business. To start, make sure you’re at least using 2FA to access all sensitive accounts and establish password security guidelines to ensure team members are informed of best practices. Understanding the many vulnerabilities of password security is also a good reminder to continually monitor your cybersecurity strategy to ensure you’re doing everything you can to keep your network and company accounts as secure as possible. 

 

Need help with password management or ensuring your business has effective cybersecurity strategies in place? Reach out for a free consultation to see how we can help. 

Featured photo by Proxyclick Visitor Management System on Unsplash

 

Related reading: 

Why the Most Successful Businesses Have a Cyber Resiliency Mindset 

Are You Doing All You Can to Protect Your Customer Data? 

How to Measure the ROI of Your Cybersecurity Strategy 

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.