The list of people in the world who like passwords is awfully short. Yet as a means of verifying user identity, passwords hang on, frustrating users and exposing huge IT vulnerabilities. Why?
A decade ago, the average person used perhaps ten websites that were password protected. Within a few years that number tripled. Today, especially with more of us working, learning and shopping online than ever due to the COVID-19 pandemic, people are expected to keep track of passwords for hundreds of websites.
It’s clear that virtually no one creates and remembers a different password for every site. The average person reuses each password as many as 14 times. The sheer multitude of sites requiring passwords forces some amount of repetition. This not only creates a security problem for the user, but also puts companies at risk.
According to the 2019 Data Breach Investigation Report from Verizon, 80% of all hacking-related data breaches involve stolen passwords. If a corporate password vault gets hacked, the passwords within are shared with the dark web—and because people reuse passwords, it gives thieves a virtual passkey to everything from bank accounts to credit cards.
The commercial drawbacks of passwords are evident as well. Industry standards in web marketing recognize that ecommerce sites have less than a minute to capture a prospect’s interest in whatever it is they’re trying to sell. Included in those sixty seconds is the time it takes to register the user. What’s more, when they return, they will need to authenticate. How many of us have given up on purchasing a product because we can’t locate the password or be bothered to login? I know I have.
Nearly every study on website effectiveness and customer satisfaction comes to the same conclusion: there is a direct correlation between user experience and revenue. If a site makes it difficult to register and sign in, users will spend less time with the site—or perhaps never return.
If passwords are the bane of the internet, why haven’t they been retired? Two words sum up much of the reason: simplicity and security.
Until recently there hasn’t been an easy way for people to commit to the ultra-strong “something you know, something you have, and something you are” standard. Today all three can be satisfied through something that 3.3 billion of us carry every day: our smartphones.
Smartphones serve as the “something you have” token, which can be supplied by a free smartphone app. Biometrics, whether by fingerprint, facial recognition or soon, retinal scan, provide the “something you are.” The remaining component, “something you know,” which is a username or social identity.
Downloading such an app can be made easy through a QR code displayed on the website. Once scanned, it can automate the download and initial registration process. Then, each time the person revisits the site, a unique image and number appears on the phone. The user is asked to confirm the image and number on the website with the one on the phone, completing the robust, three-factor verification. Single device experience is further optimized because you are not leaving the phone or the authentication is incorporated into the app with an SDK.
Smartphones can make eliminating passwords easier—but an airtight connection is still required. If the connection between user and website isn’t impenetrable, easy verification alone won’t solve the problem because perpetrators can stage man-in-the-middle attacks. This means solution providers must adhere to the highest levels of authentication. Few providers satisfy military grade NIST AAL3 requirements, which states the solution must be resistant to impersonation. To achieve that level of authentication and beyond, the solution’s server must authenticate to the user’s app, and the app must also authenticate to the server. In short, the site knows it’s the user—and the user knows it’s the site.
Time to Begin
There’s a final reason why passwords are still with us, however: companies need to commit. If this paradigm is going to shift, individual sites must offer a passwordless system as the only way for users to register. People need to be compelled to experience the simplicity, convenience and peace-of-mind that comes with an alternative system.
This might feel like a daring move but think of the benefits. Users want a fast, easy and secure alternative. Now it exists. By making good use of the technology available to us, we can combine all three factors of authentication without the use of passwords. This option wasn’t available to us five years ago.
Simplifying your site offers an immense advantage over the competition. It also lowers costs and streamlines operations. The majority of calls to customer service, for example, involve password resets. With a passwordless system there are no passwords to hack, no more potential PR disasters and even less exposure to liability.
As an industry, we must change the status quo. Gartner predicts that by 2022, 60% of large businesses and nearly all medium-sized companies will have cut their dependence on passwords by half.
60% is not enough. It starts with each individual company and each website. It must begin with those who are bold enough to embrace a better way. And it must start today.
JOHN HERTRICH is President and Chief Executive Officer of Identité, a security company focused on making authentication simple, secure and passwordless.