How many times are you unable to use digital applications because you’ve forgotten your password? Are you left scrambling through endless loose papers with passwords scribbled down to find out which password is for which account? Perhaps you prefer using similar passwords across multiple accounts? Chances are, we are all guilty of doing this at some point as we too often opt for convenience over security.
It’s not hard to see why. To make employees lives easier and more flexible, large enterprises are deploying an average of 163 cloud applications to help in this process. Yet it’s hard to fathom the sheer scale of logins required for users to access these services, which plays a big part in workers choosing insecure methods to help them remember passwords.
The wider implications of this are significant. According to Verizon’s 2019 Data Breach Investigations Report, 80 per cent of hacking-related breaches are a result of weak or compromised credentials, while 29 per cent of all breaches involved the use of stolen credentials. The consequences of a breach can be catastrophic, with the average cost of a stolen record $148, and the total cost incurred from a data breach averaging at $3.86m – far from small numbers.
To tackle this, we need to shift away from failing password-only authentication systems, and instead seek more appropriate ways to strengthen security and keep our personal credentials safe.
Inadequacy of passwords
Okta recently commissioned research delving into passwords and found that an alarming 78 per cent of respondents use an insecure method to help remember their password, with 34 per cent admitting to using the same password for multiple accounts. But should workers take the blame? A psychology study by Sasse supports the notion that we can only remember a finite number of passwords, increasing the likelihood of using repeat passwords.
Another study (Schacter) found that many choose passwords that are easy to remember or strike an emotional significance within us. As cyber attacks become more sophisticated and personal by the day, the chances of having a password discovered and personal data exposed to risk, increase. And sweeping digital transformation strategies across the enterprise will see more services become digitized; likely heightening the number of weak passwords.
Beyond the password conundrum
Overcoming the reliance on passwords is not going to happen overnight, but with technology advancements, such as biometrics, there is finally encouragement for a passwordless future.
There are real-life examples of this in motion. India’s Aadhaar identity system gives citizens a unique 12-digit number based on their biometric and demographic data, enabling access to welfare, tax payments and social services. Estonia has also followed a similar initiative through its e-Identity system, which provides its citizens a digital identity via a chip-and-pin e-card designed to authenticate people.
National identity systems such as these show promise for the enterprise to adopt similar digital identities in the workplace, built off more personal data. Unlike passwords and usernames, personal data such as biometrics are much harder to replicate or even break as this data is unique to an individual.
Biometrics as a solution
Okta’s research showed a growing appetite and acceptance of biometrics as an added layer of security at work or even a long-term replacement of passwords. A staggering 70 per cent of respondents feel there are advantages to using biometric technology in the workplace. However, 86 per cent of respondents have some reservations about sharing biometrics with their employers, demonstrating that workers are ready for the ease of use, but need to gain trust and education of organisations’ use and protection of data.
While biometrics may be more of a longer-term goal, organisations can start with adopting contextual factors to ease authentication processes. Factors such as geolocation and IP address can help validate a user and grant them access to workplace applications. If these factors are considered ‘trusted’, then access can be granted without the need to enter a password.
In today’s society, there is mounting pressure to tackle incidents of cybercrime. We must all do our part in being more vigilant and careful with the information used in authentication processes. But this should not only be the responsibility of employees. Enterprises need to move away from their reliance on passwords, which have failed us an authentication method for far too long. By adopting passwordless technologies such as biometrics and contextual factors, businesses can increase security and tackle data breaches more effectively.
Jesper Frederiksen is the General Manager, EMEA, for Okta.