The move to a passwordless society -

For decades, the humble password has been the cornerstone of our digital security, as well as the curse of our ability to remember them. But in 2024, the limitations of passwords call into question the security they offer, so perhaps it’s time for us to explore a passwordless society.

Many of us are familiar with FaceID, two-factor authentication and banking apps that need another level of verification, so could dynamic authorizations, zero-trust and identity-first authentication take center stage and see passwords off for good? We’ve considered some of the advantages – and the enduring sticking points for moving to a truly passwordless society.

REASONS TO GO PASSWORDLESS

ENHANCED SECURITY

Continuous monitoring of user behavior and context in place of passwords increases security and reduces the risk of phishing attacks. For example, instead of prompting for authentication only during login, systems can continually observe and assess a user’s actions. A good example is if your bank notices you are transferring a sudden hefty sum of money, it triggers an additional verification step to ensure your identity is confirmed before completing the transaction. This also enhances security without causing unnecessary friction for routine actions.

REDUCED PASSWORD RELATED RISK

According to Verizon’s 2021 Data Breach Investigations Report, stolen credentials are the most common data breach incident – compromised passwords account for more than 60% of breaches due to hacking. Passwords are vulnerable to various threats, such as brute force attacks and credential theft. Moving to passwordless means focusing on continual session monitoring and risk profiling. This is a crucial shift for security enhancement.

SECURE ACCOUNT RECOVERY

If you have lost a laptop, dropped your phone into the bath and your methods for account recovery are compromised – SMS, email etc – it’s faster and more secure to recover the account with your identity than a password you can’t access. Verified digital documents (driver’s license, passport etc) or facial recognition offer a way to prove your identity and recover your accounts much faster, more efficiently and securely.

REDUCING FRICTION FOR USERS

According to a survey by Digital Guardian, 81% of respondents have experienced frustration with traditional password systems. One of the key benefits for passwordless authentication is how seamless it is for the user. Instead of repeatedly entering passwords (or resetting them!), users are prompted for additional verification only when their actions or context raise a security concern. This makes it a much more efficient and pleasant user experience.

COST OF RESET

Most IT helpdesks know the cost of resets in resource and opportunity cost of those higher value tasks your IT team could otherwise be doing. According to Forrester Research, the average cost of a helpdesk-initiated password reset is about $70 per request. Passwordless authentication reduces the need for
resets altogether.

BIOMETRIC ADOPTION

The use of biometric authentication methods is on the rise – a report by Grand View Research estimated that the global biometric market size would reach $100 billion by 2027. Passwordless systems often use biometric authentication methods.

There are thankfully fewer objections to going passwordless, but these are barriers that take time to remove or reset. They include:

USER EXPECTATIONS

Often technology moves faster than cultural norms. As humans, we’ve been conditioned for decades that a password represents strong security, and so the absence of one makes us feel less secure. Resistance to change is one of the main reasons we still have passwords.

USER EDUCATION

Educating users about passwordless authentication is crucial and organizations must invest in initiatives to help users understand new methods and to feel comfortable using them. This, however, is time and resource hungry.

PRIVACY CONCERNS

Continuous monitoring of user behavior and context can raise privacy concerns – striking the right balance between fending off fraud and respecting user privacy is a challenge that must be addressed.

FALSE POSITIVES

The risk-based approach to authentication may sometimes trigger false positives, inconveniencing users who are performing legitimate actions. For example, if the user of a collaboration tool typically works Monday to Friday, but happens to log-in on one weekend, the system may flag this as a security risk and request further authentication. This risks the employees work being interrupted and causing frustration. Again, striking a balance between security and user convenience and satisfaction is a continuous challenge.

Ultimately passwordless authentication is not a one-size-fits-all solution, based upon application, industry and level of security required, but it offers a secure way of verifying users based upon who they are, not what they know. It represents the future of enhanced security, improved user experience and adaptability to risk-based authentication my removing the vulnerabilities associated with traditional passwords.

Don’t let passwords be your weakest link. Schedule a call with an identity expert today, and take the first step towards a safer, more efficient authentication process.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_47704508_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_zcsr_tmp	session	No description available.
663a60c55d	session	No description available.
ac09458e72	session	No description
AnalyticsSyncHistory	1 month	No description
CookieLawInfoConsent	1 year	No description
fd6b13af5c	session	No description available.
li_gc	2 years	No description
proofidltd-_zldp	2 years	No description
proofidltd-_zldt	1 day	No description
visitorId	1 year	No description
zc_consent	1 year	No description available.
zc_cu	1 year	No description available.
zc_cu_exp	1 year	No description available.
zc_loc	session	No description available.
zc_show	1 year	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.