Why We Should Eliminate Passwords as Passwordless Authentication Is the Futureby Sarah Van De Vyver, Product Marketing Manager at OneSpan March 24, 2022
The computer password has been around for more than 6 decades. The first password can be traced back to 1961 in Massachusetts when a computer at MIT was protected with a password for secure login.
Incidentally, MIT’s time-sharing system was the first system to suffer a data breach.
Since then, passwords have become a commonplace form of authentication, but the weakness of the solution has been painfully proven over and over again. Hence, it is time to say goodbye.
In this article, we discuss why is it important to let go of passwords altogether to improve the users’ security posture, and we take a closer look at the benefits from a passwordless authentication approach.
A surge in account takeover fraud
Cybercrime has soared since the pandemic, leading to a surge in identity-related losses.
According to Javelin Strategy and Research in their 2021 Identity Fraud Study, account take over (ATO) fraud resulted in over US$6 billion in total losses in 2020.
ATO often starts with bot-driven attacks such as credential stuffing, leveraging previously stolen user credentials and personally identifiable information to gain access to end user accounts.
Another successful technique involves brute force attacks. By using automation tools and bots, hackers try to guess passwords to gain unauthorised access to personal identifiable information and bank accounts.
Once an account is compromised, a fraudster can drain bank accounts of their funds, access payment information for use on other sites, or engage in another fraudulent activity.
Why eliminate passwords?
Passwords reduce security and possess vulnerabilities to a variety of attacks.
Moreover, they create friction and make things hard for people. No one wants the hassle of inventing a multi-letter, multi-number combination.
Such passwords are hard to remember, and easy to guess, steal and crack. Passwords also create administrative overhead.
In fact, Forrester Research has shown that large organisations spend up to US$1 million per year on helpdesk interventions involving password resets.
What is passwordless authentication and is it secure?
Passwordless authentication encompasses every authentication method that doesn’t rely on a static password or knowledge-based secret for secure access.
Proof of a user’s identity therefore relies on other authentication factors such as a possession factor (such as a mobile authenticator app or hardware token that generates one-time passwords) or a biometric element such as a fingerprint or facial scan.
Passwordless login greatly reduces the attack vector as there is no password to be leaked or intercepted.
Taking a multi-layered approach to authentication that includes app security, device security and continuous fraud monitoring will further enhance the level of security.
Benefits of passwordless authentication
Passwordless authentication reduces social engineering and account takeover fraud.
As there are no passwords to phish or compromise, the likelihood of being exposed to phishing attacks or account takeover attacks is greatly reduced.
Secondly, a passwordless approach to authentication will enhance the user experience.
Employees and customers can access services without having to remember complex passwords and typing them over.
Eliminating password fatigue and management can be achieved by deploying biometric authentication options such as a fingerprint or facial scan to achieve a seamless user experience.
By combining two factors such as something the user has (e.g., a mobile device for obtaining a passcode in an SMS message or from an authenticator app) and something the user is (e.g., a fingerprint or facial recognition), you can obtain a much stronger two-factor authentication (2FA) than authentication that is solely based on passwords.
Thirdly, password management eats up resources. Going passwordless will help a company reduce the costs associated with password resets and monitoring.
In addition, by strengthening their security and reducing attack vectors, a company can reduce the risk of falling victim to a data breach, which comes at a high cost.
Passwordless authentication is the future
Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases.
Organisations should implement passwordless authentication to reduce attack vectors, enhance the user experience and reduce operational costs.
Downloading OneSpan’s whitepaper to discover superior user experience and growth through intelligent security with adaptive authentication here.