Moving Away from Passwords
The use of passwords – the traditional method for employees and customers to access networks, applications, data sources and other elements of the IT infrastructure – is the most common method of authentication. They have the advantage of being easy to implement, they are cost-effective, they can be entered from virtually any device with a keyboard, and they offer privacy because they include no personal information.
The downside to passwords – and it’s a significant one – is that they are insecure. Many users will re-use the same password in order not to have to remember a unique password for each application or device, they will employ simple passwords that are easy to remember and easily guessed by bad actors, and most users don’t change their passwords frequently, if ever.
The result is that password-protected corporate systems are easily hacked and various types of accounts are taken over, resulting not only in employees’ accounts becoming compromised, but in many cases those of customers, as well. And, the results can be devastating: everything from the minor annoyance and cost associated with resetting passwords (about $70 per account) to full-blown ransomware attacks that can bring an entire organization to a halt and, in some cases, put a company out of business.
There are better authentication methods that have been deployed, such as using SMS codes sent to a mobile phone once a username and password have been entered successfully. However, even these authentication methods can be circumvented by bad actors.
Consequently, there is a strong push to adopt passwordless authentication methods, including biometric methods, to improve corporate security. The fundamental goal of passwordless and biometric approaches is to make access to corporate systems far more secure than is possible when using passwords alone, or even when using SMS-based authentication.
A passwordless authentication scheme does not require any sort of username or password to authenticate a user, but instead uses some other method to authenticate the accessor, such as a pre-existing social media account. Biometric methods, which constitute a subset of passwordless schemes, are varied and may employ fingerprints, iris scans, palmprints, or voice recognition. These authentication schemes offer numerous advantages, not least of which is that users don’t have to remember anything, the user experience is easy, and they are very difficult to spoof.
Despite the benefits associated with passwordless and biometric authentication methods, they have not been adopted by most organizations. For example, in a survey that Osterman Research conducted for BIO-Key International in May 2021, we discovered that fewer than one-third (29%) of the mid-sized and large organizations surveyed have implemented any sort of passwordless authentication workflow for their employees, and far fewer – only 9% – have done so for their customers.
The good news is that many organizations are planning to implement passwordless authentication workflows for both employees and customers – 40% plan to do so for employees and 23% will do so for customers. The bad news is that nearly one-third (31%) of organizations have no plans to implement passwordless workflows for their employees, and most (69%) have no plans to implement passwordless workflows for their customers.
So why the relatively low uptake for passwordless and biometric authentication methods? The survey found that there were several reasons why organizations are either not using or considering the use of biometrics, but the three leading reasons are that security managers:
- Are worried about low user adoption.
- Think biometrics are too expensive.
- Are concerned about potential privacy and regulatory issues.
While these concerns are understandable, Osterman Research believes that they are not well-founded. For example:
- User adoption of a biometric authentication scheme might be slow at first, but employees and customers will quickly become accustomed to it and most will end up preferring biometrics over passwords. For example, a survey conducted for Visa found that two-thirds of consumers in the United States who have used biometrics consider them to be faster and easier to use than passwords.
- While a biometric authentication approach will be more expensive than a simple password scheme up-front, the cost of each approach must be considered holistically. For example, the same Visa survey found that 68% of US shoppers “have abandoned an online purchase due to forgetting a password, trouble logging in, or issues receiving a one-time passcode”, and more than one-half of credit card holders responded that they would change banks if not offered a biometric option. Decision makers must consider not only the cost of the biometric solution itself, but also the cost of the lost revenue from customers who will abandon a shopping cart or switch to another vendor.
- Because biometric solutions store personal information, such as fingerprint data, additional care is required to ensure that this information is protected. This has become especially important in light of the large and growing number of privacy regulations that are or soon will be in force. However, with proper data protection and encryption technology and processes, this is a simple problem to address.
The bottom line is that passwordless and biometric authentication is much more secure than traditional password-based authentication, it enables a better employee and customer experience, and its overall cost – when considering all costs – is significantly lower.
Implementing Multi-factor Authentication (MFA) with Biometrics
The most secure solution is implementing both biometric authentication and passwords using multi-factor authentication (MFA). MFA requires end users to provide two or more verification factors and is an added layer of security on top of a single factor. Single factor logins like a password are no longer sufficient enough to secure your login, so combining it with an authentication method that confirms you are who you say you are can provide the highest level of security.
Organizations today are being targeted by outside attacks and exploited due to their lack of security measures. The recent Executive Order on cybersecurity urged companies to adopt more advanced security features, including MFA. While each form of security has their benefits, combining a mix of a password and biometrics is the best way to ensure data remains safe.
Learn more about how multi-factor authentication approaches differ from more traditional methods in our State of MFA eBook.