A 2020 study commissioned by NordPass revealed that most people, on average, have about 100 passwords to remember. That number increased by 25% from 2019 and is attributed in part to the COVID-19 pandemic, with people doing more things online, and thereby introducing the necessity to generate new accounts.
Just how many of these 100 passwords are iterations of a few is up for speculation. The obvious danger of repeated use of the same or similar passwords is a compromised one password exposes the others exponentially.
In the digital era, customers are clamouring for easier, more seamless access to the services they subscribe to but expect no less than flawless protection of what private information they have given out.
They want the iPhone engagement experience but with the security of something akin to the protection detail that a country president might have. Sounds like wishful thinking? Maybe.
Andrew Shikiar, executive director at FIDO Alliance, acknowledged this to be a challenge: It comes down to integrity, security, and usability. He opined that the way passwords are implemented and used today presents a challenge to making this possible.
Acceleration – the hallmark of COVID-19
Shikiar noted that before 2020, digital transformation was a vague concept with a lot of consulting hours being poured into it. Organisations would have a four-year or five-year plan outlined on a whiteboard.
“COVID-19 compressed that four-year timeframe into a four-month timeframe, where all of a sudden, everyone had to figure out how to secure their workforce,” he opined. For a bank, he continued, the new imperative in 2020 was getting branch-only customers to move online.
“But it was not only the businesses that noticed this, the hackers did as well. The result is a massive spike in cyberattacks, between February and April 2020. What we saw is that the rapid need to harden all the infrastructure associated with online communications was accelerated with COVID-19,” he commented.
The core problem of passwords and authentication
Shikiar was quick to point out that password protection is a risk because the passwords sit inside a server. This, he countered, is a shared secret.
“Anything on a server can eventually be stolen — or can be manipulated out of someone's hand,” he continued.
Stolen credentials that find their way into the dark web can be programmatically stuffed into bots that are then used to attempt to log in to more sites. Shikiar notes that this approach has a high success rate that cost billions of dollars per year.
“It's this kind of self-perpetuating cycle because that leads to more credentials being stolen through that process,” he continued.
“The fundamental problem is that this dependency on the server-side, shared secrets such as passwords, will only perpetuate as long as we're dependent on that methodology to secure users,” he added.
He believed that while passwords are the weakest form of user authentication, anything that is not possession-based, that is put on a server that requires verification, can also be manipulated. He cited the well covered-story of how SMS as a two-factor authentication method is insecure.
“What we need to do is move the world away from this model of centralised authentication based on shared secrets to one that is more possession-based where you are logging into the device in your hand, either by using a biometric or just by proving possession of a device or even entering a pin, something that's not transmitted over the internet. By logging in locally, only you or someone in possession of his/her device can log in,” he suggested.
Transitioning to a passwordless authentication environment
Start with a password strategy, opined Shikiar. The CIO needs to identify which systems (applications) are dependent on passwords and started prioritising a passwordless approach to authentication.
Click on the podchat player to listen to Shikiar’s perspective of how passwordless authentication be implemented.
- Why is authentication the cornerstone of digital transformation?
- How has COVID-19 accelerated the need to secure our devices, and what are some of the challenges that organisations face in doing so?
- What are the risks of relying on passwords for authentication?
- Where do we stand with passwordless authentication today?
- What needs to happen for businesses and users to adopt passwordless authentication?
- What is the investment cost to adopt FIDO authentication?
- How can an organisation safely transition to passwordless authentication?
- Who should own the deployment and adoption of passwordless authentication?
- What questions should leadership and the Board ask their CIO with regards to passwordless authentication?