Every company should be concerned about cybersecurity, now more than ever. The COVID-19 pandemic has forced many businesses to provide work from home (WFH) options for employees. These arrangements foster social distancing — which is good — but also provide new opportunities for hackers to access valuable company data and proprietary information, as well as private customer details — which is decidedly not good.
Companies have a wide range of options to choose from for becoming more secure, such as regularly updating applications, creating strong backup processes, using VPNs and encrypted messaging, and having custom software created by a nearshore development team. Another option is to reconsider the use of passwords.
Passwords are still heavily in use but are gradually becoming less prevalent as authentication methods that are newer, more convenient, and more secure emerge. At the very least, most systems that use passwords also require one or more additional authentication factors such as a unique, one-time-use passcode or a “magic link” instead of the standard credentials. Here we explore why passwords are on their way out and what new technologies are replacing them.
Passwords Don’t Provide Enough Security
Security specialist Exabeam writes, “For as little as $500, cybercriminals can buy a database of stolen credentials and target multiple websites to gain access, knowing that some users reuse passwords.” In this way, as stated by the World Economic Forum, “In terms of cybersecurity, weak password management is central to the entire criminal ecosystem.”
According to technology expert Eric Elliot, even hashing passwords (a method for disguising stored passwords) isn’t enough. He writes, “Once a database of passwords has been stolen, hackers…use parallel GPUs or giant botnets with hundreds of thousands of nodes to try hundreds of billions of password combinations per second in hopes of recovering plaintext username/password pairs.”
The security breaches that result when those pairs are recovered are annoying at best and giant problems at worst, as they require time, money, and other resources to solve them. While many companies recover from these events, others don’t.
Passwords Are Hard to Work With
As you go through your daily life, how many passwords do you have to keep track of for personal and work-related sites? If it’s any more than a handful, you know what a chore it is to try and remember them. Sticky notes and spreadsheets do more harm than good, as they give potential hackers an easy way to capture credentials.
Now experts are recommending more complex passwords and having a unique one for each site you must log into, making password management even more difficult. Even those who use a password manager may make the mistake of sharing passwords with others who may lose or share them or, worse, giving them to a hacker claiming to be an IT technician (a method known as social engineering).
Companies that expect employees to take on the responsibility of creating and managing passwords are risking security given these inherent challenges. That’s why, according to Exabeam, “Backed by heavyweights, including Amazon, Google, and Microsoft, eliminating passwords is gaining momentum.”
Passwords Aren’t the Only Way to Authenticate
Multi-factor authentication (MFA) is the practice of using more than one authentication method to verify that users are who they say they are. For example, an online banking system may require customers to enter their username and password, and then a code that is sent to their mobile phone via text. With this method, a hacker would have to have access not just to the credentials, but also to the customer’s phone to gain entry to their account.
Here are a few other authentication methods currently being employed. As they are used more, passwords will increasingly be used less. The following video describes some of them as well:
Biometrics
Biometrics are physical attributes that uniquely identify individuals. Because we always have them with us, they’re easy to use.
- Fingerprints. No two people have the same fingerprint, so this method can definitively verify an individual’s identity. One example of this technology is the iPhone 5S, which includes Touch ID as a verification option.
- Facial recognition. Devices like the Google Pixel smartphone include facial recognition as a verification option. Rather than typing in a code or a complicated pattern, a user can simply pick up their phone and point it at their face to gain access.
- Iris recognition. Iris recognition is similar to facial recognition but uses only the eye’s iris to verify identity.
Push notifications
Similar to an access code, push notification (aka “magic link”) authentication requires access to a specific mobile device or email account. When a user requests entry to a site, they receive a link via text message or email, and must activate the link to gain access. Typically, the link expires after it’s used, or after a certain length of time.
Security keys
Hardware security keys connect to hardware devices using USB, USB-A, USB-C, NFC, and Bluetooth technology. Some of them include fingerprint authentication for users who want biometric identification for devices that don’t use it. Security keys are small enough to carry anywhere and most of them can be attached to a keychain.
Hardware security modules
Hardware security modules (HSMs) are physical devices that match specific applications. They exist in different formats, including embedded PCI Express cards, Ethernet-connected appliances, and USB-connected devices. They enable cryptographic operations and protect cryptographic keys.
Consider Password Alternatives
If your company requires passwords to gain entry to internal systems, remember that password management, not to mention password retrieval if one is forgotten, takes up time your workers could be spending on more valuable tasks. This time could add up to tens or even hundreds of hours per year if multiplied across your entire workforce. Imagine the research, planning, and innovation that could be done during that time instead.
Additionally, if your business develops apps or software for customers, use of passwords could be promoting a negative customer experience (CX), which may contribute to loss of loyalty, business, and revenue. Given these important factors, business leaders should start to consider what other methods might make the most sense for employees and customers to use instead, as passwords increasingly become a thing of the past.
