Go passwordless to improve security AND convenience

Guest blog by Godwin Amila, Senior Lead Solution Engineer (Identity) at WSO2 #techUKCyber2023

Passwordless authentication is a method of authenticating users without requiring users to enter a username and password. Instead, it relies on alternative factors for authentication such as security keys (such as Yubikey) or biometrics (fingerprint, face ID, or touch ID), etc. This approach is gaining popularity due to its ability to enhance security and improve user experience.

The problem with passwords

Users are accessing multiple systems and those systems have their password requirements with some having policies that require passwords to be unique, long, and complex, with combinations of letters, numbers, and special characters. On top of this, it is also recommended to change passwords from time to time. Keeping track of multiple complex passwords is challenging. Forgetting passwords can cause work interruptions or sometimes lock users out of their accounts. To help them remember, users might reuse the same passwords for different accounts, use easy-to-guess passwords, or even write them down on sticky notes.

In large organisations with many employees and digital assets/tools, managing passwords is a crucial part of the IT support team. 50% of all help desk calls are for password resets. And the worst part is that password resets aren’t just tedious; they’re costly. Forrester Research found that the average password reset cost is upwards of $70.

Using passwords is inconvenient for both end-users and the organisation's support team. Exploring alternative authentication methods can alleviate these challenges and enhance overall security.

Not secure

According to the Verizon 2021 Data Breach Investigation Report, 89% of web application breaches involved some sort of credential abuse (either the use of stolen credentials or brute force).

Basic login methods that rely solely on usernames and passwords are just not secure. Attackers can guess or steal credentials and gain access to critical systems using different techniques such as brute force, phishing, and credential stuffing. Even the strongest passwords are easy to phish.

Users use password managers to handle their passwords, but there are instances where even password managers have been breached.

Insecure passwords pose significant risks for both individuals and organisations. For individuals, they can lead to unauthorised access, identity theft, financial losses, and privacy breaches. Organisations face severe consequences too, including financial losses, legal troubles, and damage to their reputation. Customers may lose trust, leading to a loss of business. Failing to comply with data protection laws can result in legal issues. This highlights the need for alternative authentication methods and extra security measures to protect digital assets and create a better user experience.

Password + better

If you are going to use passwords at all, Multi-Factor Authentication (MFA) is a must. But not all MFAs are equal. Some have better security and others are more convenient. Password + Email/SMS OTP is widely used for external user authentication. Password + TOTP is also a better option for external user authentication. Security tokens and smart card options exist for internal user authentications. There’s no doubt that MFA dramatically reduces password-related security risks. Microsoft reported that up to 99.9% of account takeover attempts were defeated when MFA was in use.

Why go passwordless

Passwordless authentication brings important advantages. It makes things more secure by removing the need for traditional passwords that can be easily abused. This also means users don't have to worry about memorising or managing passwords, making the whole process much easier.

For organisations, this can save a significant amount of time and money that would otherwise be spent on password-related support. It's like upgrading your security while also making things simpler and more cost-effective. According to EMA, higher sales conversion rates were achieved by organisations that support passwordless and multifactor authentication (roughly 12% higher than the overall average).

It's important to tailor your approach to passwordless authentication based on your specific business needs and the type of users you're working with. For internal users, like employees, you have the freedom to introduce various passwordless options like Windows Hello, security keys, Fido tokens, etc. However, when it comes to external end users (Consumer identities), options like Mobile biometrics, One-Time Passcodes (OTP), MagicLinks offer a better balance between user experience and security.

The Future?

For organisations, a sound approach to enhance security and user convenience will be to eliminate passwords entirely from their authentication processes. Major tech players like Apple, Google, and Microsoft are actively investing in bolstering the adoption of passwordless sign-ins through extended support for the FIDO standard.

In cases where a password-free system may not be immediately feasible, it's crucial to implement strong MFA in addition to passwords. This extra security step provides strong protection for important accounts, data, and other digital assets.

Furthermore, prioritising user convenience involves allowing users the flexibility to choose their preferred method of authentication and ensuring your authentication experience is consistent with all applications.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more