By Ricardo Diniz, Vice President & General Manager UK, Spain & France, WSO2
Some 90% of security breaches can be avoided by using multi-factor authentication (MFA). Yet most enterprises still rely only on usernames and passwords - and avoid other strong second-factor authentication methods - to make user sign-on both safe and convenient.
Our addiction to passwords seems to be a long-standing issue. In order to stay secure, users have to make passwords complicated, only to spend time remembering and then forgetting them, which has resulted in more IT support. Notably, research has shown that, 20-50% of all IT helpdesk calls are for password resets. So passwordless authentication not only reduces security risks for organisations; by eliminating the need to remember passwords and store them on systems vulnerable to breaches, it also reduces costs and administrative burden.
According to Verizon's 2021 Data Breach Investigations Report (DBIR), credential vulnerabilities account for over 84% of all data breaches. Yet 48 per cent of people use the same password for both personal and professional services. Therefore, eliminating the use of passwords altogether reduces the risk of a data breach. For example, cybercriminals often use credential stuffing (credentials taken from one data breach and used to facilitate another). By eliminating the use of passwords, the risk of these threat actors taking advantage of vulnerabilities in an organisation's system has also been removed.
With the evolution of authentication, multi-factor authentication solved secure access to a certain extent, but users still using passwords continue to take the bait from hackers and phishing attacks. Modern authentication methods that apply the FIDO standard to passwordless sign-in using biometrics, plug-in authenticators, and security keys can protect organisations by reducing the risk of phishing attacks. It also helps to create a better user experience by offering easy and secure access to users.
And finally, if you are authenticating a user, it's no longer just authenticating using a username and password, or just going one factor beyond to basic multifactor authentication, such as receiving an SMS. There's this concept of adaptive authentication now where, depending on the level of sensitivity of the application and the circumstances under which a user is attempting to access it, authentication can be made stricter or easier to match the situation. Here at WSO2 we are seeing a huge uptake of all the risk-based analysis, risk-based authentication, adaptive authentication from an identity perspective.
So why have passwords been so slow to give up ground to more modern, safer passwordless alternatives? While great progress toward passwordless has occurred, undoubtedly it will be a long time before the "long tail" of so many applications, accessed by so many people from so many types of devices, finally converts. In the meantime, access management solutions can help address the uneven authentication landscape by providing a more user-friendly overlay and hiding the nitty gritty of authentication from users–whether it is via password, federation, etc. Access management solutions won't eliminate passwords and their security issues, they just make them less of a burden. The most complete solution is to go passwordless.
By implementing passwordless users can opt for a much easier way to authenticate, with a combination of MFA factors, thereby improving user experience and creating stronger customer identity and access management platforms. And finally giving us the opportunity to say goodbye to passwords!