It Is Time to Forget Your PasswordGovernance
Since the dawn of the internet, the username/password combination has been the first line of defense for individuals and companies against cybercriminals. But thousands of cyberattacks later, passwords have proven to be a hassle and a significant security challenge, and using them alone is no longer sufficient to protect accounts and data.
When Bill Gates predicted the death of passwords fifteen years ago, the alternatives were nowhere close to today’s frictionless authentication methods that use static and advanced behavioral biometrics. But even then, Gates could see that passwords will eventually die because they will not deliver the user experience or security that consumers and enterprises will need in the future.
"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure” Gates said at the 2004 RSA conference.
Passwords are weak
When the modern internet user is being forced to remember, on average, passwords for 92 online accounts across multiple devices, consumers chose the easy way which is often password recycling, using weak and easy-to-remember combinations, and storing them insecurely. This omnipresence and susceptibility to human error make passwords not only an annoyance but also a vulnerability.
The most common types of attacks such as sophisticated phishing, brute force attacks, and social engineering all prey on poor password hygiene; A 2019 Verizon Data Breach Investigations Report shows that 81% of hacking-related breaches are due to weak passwords.
Still, passwords are not quite dead yet, and they will be around for a while. However, medium and large-size companies “are not resigning themselves or their users to password-only account security”, according to this 2015 Lawless Research/TeleSign study.
The study predicts that passwords “may show up on the endangered list within the next decade,” whereas the use of behavioral biometrics is poised to grow dramatically. The study’s survey shows that 90% of companies rate behavioral biometrics as “an extremely or very valuable technology for increasing account security beyond password protection.”
The Future is Zero Sign-On
One of the emerging password-less alternatives is the so-called “Zero sign-on” access. It refers to technologies that recognize users based on their behaviors, to the point where static biometric authentication, like fingerprints and facial recognition, is not even necessary to access a smartphone or a bank account.
Users would be authenticated based on their unique behaviors, such as how hard they tap the phone, how fast they type, the way they walk, etc. These features are unique and almost impossible for an attacker to steal or duplicate.
Many large retail companies and security firms are testing out the technology. For example, the enterprise security company MobileIron has upgraded its suite of authentication products to allow IT managers to abolish the password. The firm relies on security features in modern hardware coupled with other signals to make a no-password login as secure as one with a password.
The behavioral biometric authentication is hailed as the most secure and convenient method to protect and securely access accounts. By 2020, Gartner predicts that enterprises that invest in new authentication methods, like biometrics, will experience 50% less identity-related security breaches than those that don’t.
The awaited technology is ground-breaking; however, its success will depend on effective regulations, especially regarding the users’ awareness of being either monitored or logged out, as well as where this behavioral data ends up and how it is protected.