Goodbye Passwords – Passwordless Authentication is the Future

Sarah Van De Vyver,

“Goodbye passwords, it’s been nice!” I hum this to the tune of a famous song by British rock band Supertramp as I think about the journey cybersecurity has taken.

Passwords or pass phrases have been around since Roman times and were used to discern between friends and foe. In modern times, the computer password has been around for more than 6 decades. They have proven their worth but it’s time to say goodbye. Let’s review why it’s so important to dismiss passwords altogether to improve your security posture and how you’ll benefit from a passwordless authentication approach.

Passwords are Ancient 

One of the most well-known pass phrases is undoubtedly Ali Baba’s “Open, Sesame!” but passwords have been used as an authentication factor long before. The first computer password as we know it today can be traced back to 1961 in Massachusetts when the first time-sharing computer at MIT was equipped with a password for secure login. Incidentally, MIT’s time-sharing system was the first system to suffer a data breach. Since then, passwords have moved from only being used in academic circles to a commonplace form of authentication, but its weaknesses have been painfully exposed time and time again since then.

Passwords are Vulnerable to Account Takeover 

A staggering 81% of data breaches are the result of poor or reused passwords according to Verizon’s Data Breach Investigation Report 2020. In the 2021 report, Verizon states that most social engineering breaches result in the loss of credentials that are then subsequently used in hacking and malware attacks.

Since the Covid-19 pandemic cybercrime by bad actors soared and this is reflected in an increase in identity-related losses. According to Javelin Strategy and Research in their 2021 Identity Fraud Study, account take over (ATO) fraud resulted in over $6 billion in total losses in 2020.

ATO often starts with bot-driven attacks like credential stuffing—leveraging previously stolen user credentials and personally identifiable information (PII) to gain access to end user accounts.  Another successful technique involves brute force attacks. Using automation tools and bots, hackers try to guess passwords in order to gain authorized access to personal identifiable information and bank accounts.

Once an account is compromised, a fraudster is able to drain bank accounts of their funds, access payment information for use on other sites, or engage in another fraudulent activity.

Why Eliminate Passwords?

The password has a long history, but its future is short-lived. Passwordless authentication methods are gaining in popularity – not only because passwords possess vulnerabilities to a variety of attacks and reduce security, but also because passwords create friction and make things hard for people. No one wants the hassle of inventing a multi-letter, multi-number combination. Such passwords are hard to remember, and easy to guess, steal and crack. Multi-factor authentication (MFA) with a passwordless authentication solution creates a better user experience for access management.

Passwords also create administrative overhead. In fact, Forrester Research has shown that large organizations spend up to $1 million per year on helpdesk interventions involving password resets.

What is Passwordless Authentication and Is it Secure?

Passwordless authentication encompasses every authentication method that doesn’t rely on a (static) password or knowledge-based secret for secure access. Proof of a user’s identity therefore relies on other authentication factors such as a possession factor (e.g., a mobile authenticator app, hardware token or OTP) or a biometric trait such as a fingerprint or facial scan.

Passwordless authentication solutions are inherently more secure than password-based systems. Passwordless login greatly reduces the attack vector as there is no password to be leaked or intercepted. Taking a multi-layered approach to authentication that includes app security, device security and continuous fraud monitoring will further enhance the level of security.

Benefits of Passwordless Authentication

  • Reduce social engineering and resulting account takeover fraud
    Deploying passwordless authentication will greatly enhance security. As there are no passwords to phish or compromise, the likelihood of being exposed to phishing attacks or account takeover attacks is greatly reduced.
  • Enhance the user experience
    A passwordless approach to authentication greatly enhances the user experience. Employees and customers can access your services without having to remember complex passwords and typing them over. Eliminating password fatigue and management can be achieved by deploying biometric authentication options such as a fingerprint or facial scan to achieve a seamless user experience. By combining two factors such as something the user has (e.g., a mobile device for obtaining a passcode in an SMS message or from an authenticator app) and something the user is (e.g., a fingerprint or facial recognition), you can obtain a much stronger two-factor authentication (2FA) than authentication that is solely based on passwords.
  • Reduce costs with passwordless authentication 
    Password management eats up resources. Going passwordless will help you reduce the costs associated with password resets and monitoring. In addition, by strengthening your organization’s security and reducing attack vectors, you are also reducing the risk of falling victim to a data breach, which comes at a high cost.

Conclusion

Passwordless authentication is the future. Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases.

Implement passwordless authentication to reduce attack vectors, enhance the user experience and reduce operational costs.

Migrate to Passwordless Authentication to Enhance Security and Optimize UX
Analyst report

Migrate to Passwordless Authentication to Enhance Security and Optimize UX

According to Gartner, “IAM leaders should migrate to passwordless methods wherever they can, and as soon as they can, to enhance security and optimize UX.” 

Learn more

Sarah is Product Marketing Manager at OneSpan and responsible for OneSpan’s FIDO, hardware and server solutions. She has over 15 years of experience in ICT and Communications and held previous positions within OneSpan’s Corporate Communications department.