For decades, the humble password has been the cornerstone of our digital security, as well as the curse of our ability to remember them. But in 2024, the limitations of passwords call into question the security they offer, so perhaps it’s time for us to explore a passwordless society.
Many of us are familiar with FaceID, two-factor authentication and banking apps that need another level of verification, so could dynamic authorisations, zero-trust and identity-first authentication take centre stage and see passwords off for good? We’ve considered some of the advantages – and the enduring sticking points for moving to a truly passwordless society.
Reasons to go passwordless
.webp?width=50&height=49&name=1%20(1).webp){kind=small}
Enhanced security
Continuous monitoring of user behaviour and context in place of passwords increases security and reduces the risk of phishing attacks. For example, instead of prompting for authentication only during login, systems can continually observe and assess a user’s actions. A good example is if your bank notices you are transferring a sudden hefty sum of money, it triggers an additional verification step to ensure your identity is confirmed before completing the transaction. This also enhances security without causing unnecessary friction for routine actions.
Reduced password related risk
According to Verizon’s 2021 Data Breach Investigations Report, stolen credentials are the most common data breach incident – compromised passwords account for more than 60% of breaches due to hacking. Passwords are vulnerable to various threats, such as brute force attacks and credential theft. Moving to passwordless means focusing on continual session monitoring and risk profiling. This is a crucial shift for security enhancement.
.webp?width=50&height=49&name=3%20(1).webp){kind=small}
Secure account recovery
If you have lost a laptop, dropped your phone into the bath and your methods for account recovery are compromised – SMS, email etc – it’s faster and more secure to recover the account with your identity than a password you can’t access. Verified digital documents (driver’s license, passport etc) or facial recognition offer a way to prove your identity and recover your accounts much faster, more efficiently and securely.
Reducing friction for users
According to a survey by Digital Guardian, 81% of respondents have experienced frustration with traditional password systems. One of the key benefits for passwordless authentication is how seamless it is for the user. Instead of repeatedly entering passwords (or resetting them!), users are prompted for additional verification only when their actions or context raise a security concern. This makes it a much more efficient and pleasant user experience.
.webp?width=50&height=49&name=5%20(1).webp){kind=small}
Cost of reset
Most IT helpdesks know the cost of resets in resource and opportunity cost of those higher value tasks your IT team could otherwise be doing. According to Forrester Research, the average cost of a helpdesk-initiated password reset is about $70 per request. Passwordless authentication reduces the need for resets altogether.
Biometric adoption
The use of biometric authentication methods is on the rise – a report by Grand View Research estimated that the global biometric market size would reach $100 billion by 2027. Passwordless systems often use biometric authentication methods.
There are thankfully fewer objections to going passwordless, but these are barriers that take time to remove or reset. They include:
- User expectations
Often technology moves faster than cultural norms. As humans, we’ve been conditioned for decades that a password represents strong security, and so the absence of one makes us feel less secure. Resistance to change is one of the main reasons we still have passwords. - User education
Educating users about passwordless authentication is crucial and organisations must invest in initiatives to help users understand new methods and to feel comfortable using them. This, however, is time and resource hungry. - Privacy concerns
Continuous monitoring of user behaviour and context can raise privacy concerns – striking the right balance between fending off fraud and respecting user privacy is a challenge that must be addressed. - False positives
The risk-based approach to authentication may sometimes trigger false positives, inconveniencing users who are performing legitimate actions. For example, if the user of a collaboration tool typically works Monday to Friday, but happens to log-in on one weekend, the system may flag this as a security risk and request further authentication. This risks the employees work being interrupted and causing frustration. Again, striking a balance between security and user convenience and satisfaction is a continuous challenge.
Ultimately passwordless authentication is not a one-size-fits-all solution, based upon application, industry and level of security required, but it offers a secure way of verifying users based upon who they are, not what they know. It represents the future of enhanced security, improved user experience and adaptability to risk-based authentication my removing the vulnerabilities associated with traditional passwords.
Don’t let passwords be your weakest link. Schedule a call with an identity expert today, and take the first step towards a safer, more efficient authentication process.
.webp)
