Eliminating passwords is good for organizational security, a business’ bottom line and user experience. Everyone from casual internet browsers to CISOs of multinational corporations can agree that passwords are insecure and inconvenient. They account for up to half of your help desks’ cost, prevent legitimate users from accessing what they need, and 4 out of 5 breaches are due to lost, stolen or weak credentials. They’re relics from computing’s past—and that’s exactly where they belong.
But despite this widespread agreement, there’s still a prevailing misconception on what a passwordless future would look like—and even what ‘passwordless’ really means. So let’s move beyond the buzzword to understand the high costs of passwords, the distinction between passwordless and password-free, what a world without passwords would look like and how we can finally get there.
Like saber-toothed tigers or the Tyrannosaurus rex, passwords had their day: they provided a means of authentication when computing was restricted to a few secured sites and a limited number of users needed access to a limited number of resources. Relying on passwords—something the user knew—worked for mainframe computing.
Today, although we’re several generations removed from that model of computer usage, we’re still relying on the same practices that we used to secure IBM punch card readers. Passwords are an old solution that don’t fit our new world: countless devices supporting millions of users who need access to everything, from everywhere, all the time.
And just like prehistoric creatures, passwords aren’t suited to today’s environment. But unlike dinosaurs, we’ve continued to accommodate them—even rely on them. Despite broad agreement that we should do away with passwords, we continue to use them for the worst possible reason: because doing away with them completely doesn’t seem worth the effort.
The high costs of passwords
If there’s one axiom that every CISO should remember when they’re trying to make the case against passwords, it’s this: cybercriminals don’t break in—they log in.
Passwords’ first fatal flaw is that they’re insecure. Earlier this summer, Bloomberg reported that hackers breached Colonial Pipeline using a VPN that wasn’t in use and wasn’t protected by multi-factor authentication (MFA). Although that “compromised password” led to one of the costliest and highest-profile ransomware attacks in history, it was far from the last time that leaked credentials would imperil an organization.
This year, 8.4 billion passwords were leaked in the “largest password collection of all time” and 87,000 unpatched SSL-VPNs were posted online in September. Just in October, Russia’s intelligence agency deployed “a huge database of stolen passwords in automated attacks.”
It’s no great surprise that, in 2020, Verizon found that 80% of hacking-related data breaches involved brute force or the use of weak or stolen passwords. That year, the most frequently used password was ‘123456,’ which takes less than a second to crack and was exposed more than 23 million times.
Passwords are hackers’ favorite vulnerability: it’s why the Cybersecurity & Infrastructure Security Agency (CISA) added single-factor authentication to its list of “Bad Practices” in August.
Not only are passwords insecure, they’re also expensive. The World Economic Forum found that, for larger business, “nearly 50% of IT help desks’ costs are allocated to password resets.”
Another fatal flaw
Passwords are insecure and expensive. But let’s not overlook another fatal flaw: they’re also inconvenient.
When we were all sitting down to keyboards, typing out long strings of letters, numbers and special characters made some sense. Today, we’re just as likely to use a phone, smart watch or smart TV using a remote control—and entering passwords on those smaller screens isn’t feasible.
We haven’t kept up with this shift to new devices: by continuing to accommodate passwords, cybersecurity has failed to remember that the best security is simple. We’ve treated user experience as an afterthought, as something that’s only ‘nice to have’ when in actuality, user experience is essential. As soon as we start asking users to memorize strings of increasingly complex characters, we invite them to work around security—not within it.
It’s in large part because passwords are difficult to use and manage that they’ve become security liabilities. The average internet user has 100 passwords; two in three people continue to use the same password across multiple accounts. By asking users to constantly update their passwords with increasingly complex criteria, security teams are practically begging people to either affix a Post-it note with their password to the side of their computer or to use simplistic combinations like ‘123456.’
The National Institute of Standards and Technology (NIST) is aware of this issue: its Digital Identity Guidelines note that undue “length and complexity requirements” can “significantly increase the difficulty of memorized secrets and increase user frustration…users often work around these restrictions in a way that is counterproductive.”
Instead, by making security convenient and organic to the user, we harden our defenses and create a simpler experience that encourages use.
Passwordless versus password-free
Many organizations understand that passwords incur high costs to security, user satisfaction and the bottom line and are trying to go passwordless.
But in too many instances, ‘passwordless’ systems don’t really live up to the name: instead, they’re ‘password-lite’. Wait around long enough in many ‘passwordless’ environments and you’ll eventually need to enter a password at some point—either to log in initially, to reset credentials or to bootstrap some new level of access.
That type of ‘passwordless’—the type that should have an asterisk by it—is a common deployment. It’s absolutely a step in the right direction, one that minimizes our reliance on passwords to only a few specific instances.
From an enterprise view, shouldn’t that be good enough? In some cases, it might be. But it’s still building a known vulnerability into an environment instead of eliminating one altogether. Maintaining passwords, even in a limited number of settings, maintains their flaws: employees’ workspace passwords are probably the same (or very similar to) their banking password, their Facebook password or any of their personal passwords. And asking employees to perpetually update their passwords continues to expose businesses to the same password-on-a-Post-it problem.
Business should also consider that the gap between the old solution (passwords) and the new problems we’re trying to address (hybrid work) is widening. Now that many of us are working remotely, we’re using several different devices and connecting to enterprise resources via insecure networks. In this setting, passwords become even more vulnerable to brute force attacks, man-in-the-middle thefts and keylogger attacks.
Instead, we should aim for truly password-free environments—for operations that completely eradicate passwords altogether, from employee onboarding and account creation, through identity provisioning and credential binding, ongoing authentication, emergence access and account recovery. At no point should a user have to think about, enter or manage a password.
Consider the context
Fast identity online (FIDO) authentication addresses many of the issues when it comes to passwords. But as good as FIDO is, there are still some instances where organizations need continuous authentication to check and re-check access requests. Although FIDO or passwords could be used for re-authorization periodically throughout the day, that would add an undue degree of friction for users.
The best security is simple, but it’s also contextual. Context-aware authentication can provide for continuous authentication while reducing (if not eliminating) undue friction: security teams can use the time a user is logging in, the device they’re using, their IP address, their location, and other facts to inform their access decisions. That contextual information can replace ‘something you know’ altogether, harden your defensive posture and help your organization adapt to hybrid work and eliminate passwords.
Smart identity and access management can learn and baseline each employee’s typical behavior; eventually, it should understand that if the user always logs in using a fingerprint scan on a FIDO key at 9 AM ET from a PC in New York, then if someone using their credentials makes an access request at 3 in the morning from a new device in Russia without that biometric information, then that request merits additional investigation. Likewise, if they authenticate from New York at 9 AM, log out, and then log in again from California at 10 AM, then that represents a ground-speed violation that their system should recognize, flag, and deny.
Combining ‘something you have’ authentication factors and ‘something you are’ with contextual signals could create smarter, safer, and simpler environments. In 2016, we shared a video demonstrating how a Bluetooth connected device could authenticate users. In this scenario, the proximity of the user’s phone would log them into their laptop without a password. Combining the proximity of their device with their location, time of use, and other contextual signals could provide the information needed to make a high-confidence access decision—without entering a password or username. At the end of the day, when they pick up and walk away with their phone, they’re logged out.
Users hate passwords because they’re inconvenient and prevent us from accessing what we need access to; security teams hate passwords because they represent a major security vulnerability; businesses hate passwords because they’re expensive. Passwords are lose-lose-lose.
We don’t need to operate this way any longer. We need to modernize identity and access management and move beyond passwords for good.