Q&A: Getting ready for a passwordless future

(Image credit: Image source: Shutterstock/scyther5)

Traditionally, securing our online identity has relied on one key method: passwords. For decades, passwords have been the gateway to our digital identities and what we do online. And for far too long we’ve been witnessing their failure.

According to Verizon’s most recent Data Breach Investigations Report, 80 per cent of hacking-related breaches are a result of weak or compromised credentials. 29 per cent of all breaches involved the use of stolen credentials. The consequences of a breach can be catastrophic, with the average cost of a stolen record $148, and the total cost incurred from a data breach averaging at $3.86m - far from small numbers.

While a cyber incident is the main cause of concern for enterprises when it comes to password use, Okta’s Passwordless Future report found that it can also impact workplace productivity. When people forget their password, 37 per cent are locked out of accounts which delays work. With a sustained decrease in productivity, a business can fail to keep up with its competitors and reduce its ability to cater for its customers, who expect excellent service.

What mistakes are workers making when it comes to password security?

According to the UK’s National Cyber Security Centre, 23.3 million compromised email accounts used ‘123456’ as a password, while millions of other users were using the term ‘password’, their favourite football team or band.

Regardless of a company’s best efforts to raise awareness around strong passwords, users will still resort to using one that they find easy to remember, which isn’t surprising due to the sheer volume of passwords we need to remember in everyday life. To put this into context, Okta’s 2019 Businesses @ Work report discovered that on average, large enterprises have 163 applications on their estate. This highlights the number of logins that employees have to deal with, which will only heighten the security fatigue and desire for simpler and repeated passwords.

Returning to Okta’s Passwordless Future report, it was found that 78 per cent of respondents use an insecure method to help them remember their password and 34 per cent of us admit to using the same password for multiple accounts. Using this method enables hackers to exploit one account and then use that password to access multiple others, increasing the damage caused. It’s less risky to forget and reset than it is to use insecure passwords and memory aids.

Do passwords have any other negative impacts on the workplace?

Over the past several years, we’ve witnessed society invest in understanding and addressing mental health and we’re only just starting to discuss mental health at work. Recent research by Anxiety UK suggests that as many as one in six young people will experience an anxiety condition at some point in their lives. Anxiety is on the rise in the workplace due to a number of factors, but security is one that has been overlooked.

According to Okta’s research, forgetting a password leaves 69 per cent of UK respondents feeling stressed or annoyed, demonstrating that there are worrying personal issues associated with passwords.

This is another example of passwords failing us, and enterprises need to move beyond the reliance on this authentication method. In tackling this issue, we will see the first wave of organisations going completely passwordless in the foreseeable future.

Is there an alternative?

Technology innovation has given businesses a myriad of new opportunities to approach security in different ways. Now authentication can be granted thanks to a number of contextual factors such as geolocation and IP addresses. If these factors are considered ‘trusted’, then access can be granted without the need to enter a password.

Something more readily available in today’s world, and driven by the smartphone, is the ability for organisations to combine methods such as biometrics, with traditional methods that are still secure, and remove inadequate practices altogether.

Biometric authentication leveraging fingerprints, eyes, faces and voices were introduced to offer better protection against unwarranted access to accounts or systems. Unlike usernames, passwords and pin codes, the data is unique to each person.

Okta’s research showed a growing appetite and acceptance of biometrics as an added layer of security at work or even a long-term replacement of passwords. A staggering 70 per cent of respondents feel there are advantages to using biometric technology in the workplace. However, 86 per cent of respondents have some reservations about sharing biometrics with their employers, demonstrating that workers are ready for the ease of use, but need to gain trust and education of organisations use and protection of data.

What does the industry have to do make biometrics a reality?

Adopting new methods such as biometrics or contextual factors may meet an enterprise barrier and so it’s essential that workers are educated about how biometrics work on personal and even work owned devices.

Biometric data is highly secure and not available to external parties, or even to the device’s own operating system. Instead it’s deeply embedded in the security hardware of the device (such as Secure Enclave or Trusted Platform Module), meaning not even Apple or Microsoft can access it, let alone an employer.

With the added security offered by biometrics, it is up to organisations and those developing biometric technologies to demonstrate how the data will be kept secure, and evangelise the benefits and ease of implementing the technology to reduce initial reservations. This will accelerate the passwordless future and the multitude of benefits it will bring.

Jesper Frederiksen, General Manager, EMEA, Okta