They say the only secure password is the one you can’t remember. The truth is that no password is ‘secure’, just like no organisation is ever completely ‘unhackable’.
A World Economic Forum report estimates that 80 per cent of all cybercrime attacks are perpetrated from weak and stolen passwords. With the rapid increase in login sharing and phishing attacks that result in credential theft, it’s harder than ever to know exactly who is gaining access to your assets.
Look no further than last year’s SolarWinds breach – the largest and most potentially damaging hack in history. ‘solarwinds123’ was the password of choice for an unsuspecting intern whose weak (but memorable) combination of letters and numbers resulted in the exploitation of every arm of the US military, as well as hundreds of multinational organisations like Microsoft, Cisco and FireEye.
Traditional methods of securing systems and data – such as passwords – are no longer a viable option to protect the assets that allow us to operate and do business. Although SolarWinds was a multifaceted attack, in a passwordless world the gate would have been closed on that particular vulnerability.
The concept of a passwordless future is certainly nothing new. Type the phrase into Google and you’ll find research reports, articles, podcasts and more citing the myriad problems with passwords in this age of rapid digital transformation.
“Are we ready for a passwordless future?” “Why passwordless is the future.” “Respondents believe passwordless authentication is the future of their organisation.” “The passwordless future and the path toward passwordless authentication.”
But working and living free from passwords is not the ‘future’ as it’s so frequently described – like some distant, space-age utopia. The technology that allows organisations to do away with these insecure and inconvenient access tools is available for mass deployment now, using biometrics to create a verified digital identity that can be used to authenticate access to both digital and physical assets.
There’s never been a greater need for identity-defined access solutions. With remote work and ‘bring your own device’ now an everyday reality for so many, it’s more important than ever for businesses to securely on-board team members, while also providing those team members with a seamless experience when accessing the applications they need to do their job. This shift to a remote workforce has destroyed for good the concept of the traditional corporate perimeter. Identity is now the new perimeter.
As the NSW Government launches its new NSW Cyber Security Strategy, we look forward to new initiatives that will support businesses to be more resilient in their response to increasing cyber security threats.
Going passwordless also fundamentally improves how a business operates. As well as the security benefits, an identity-defined approach streamlines the user experience, drives efficiencies and improves the bottom line. Okta estimates the average cost of resetting forgotten or compromised passwords is $70 per employee per reset, and the risk rises exponentially the larger the organisation – costing US$1.9 million annually for businesses with more than 10,000 employees.
The security industry’s response to the challenge of identity in the modern workplace has traditionally been to make life harder for users. Tools like multi-factor authentication can be effective, but in most cases put the onus on users to do more. With an average user managing up to 100 different passwords and IT teams spending an average of six hours a week dealing with password-related issues, adding more friction to the user experience has a massive impact on a business’ productivity.
Biometric credentials are not only a more secure option – eyes, voices, faces and fingertips are unique to each person – they also meet the demands of today’s users for convenience and agility. Sometimes overlooked, or de-prioritised in favour of security requirements, the user experience is a critical component of any technology solution. Fortunately, by using biometrics, the days of having to choose between effective security and a seamless user experience are gone – no more compromise, no more trade-offs.
A user’s biometrics can be used as a ‘universal credential’ to authenticate access in any scenario, from onboarding a remote team member to facilitating access to sensitive client data. A crucial element of the solution is combining the credential with liveness detection to guarantee the right person is accessing the right asset securely and conveniently, wherever they might be. This ensures a user is in fact ‘alive and in person’ and not an impostor trying to trick the system (like with a mask or fake finger).
If you don’t think this applies to your business, ask yourself: when a new team member joins, how do you know they are who they say they are? When someone logs into your network remotely, do you check that the account is being used by the person it was allocated to?
Ensuring you know who is accessing your assets is critical. As business leaders we can no longer overlook processes and policies that enable the use of easily exploited passwords in our organisations. The time to say goodbye to passwords is now.
For more information about how you can go passwordless with Daltrey, contact us today.
This article was first published in The Australian.