Businessman typing on keyboard to input username and password showing passwordless authentication technologies

The Authentication Journey

The most pressing concerns for companies and consumers alike today are the threats of identity theft, the harvesting of personal information, and fraud. Given the multiple attack vectors that hackers have at their disposal, enterprises and government agencies are looking to move to more modern forms of authentication that can address security gaps created by the continued use of traditional username and password authentication methods.

While passwords are still the most widely-used form of authentication, they are also the most common source of identity related breaches. For threat actors, passwords (and password databases) are the best way to enter a system, exfiltrate personal information, spread malware, and compromise individual accounts or entire networks.

In recent years, there has been a significant movement towards multi-factor authentication as a way to combat account takeover from the continued use of password-based authentication methods. One of the greatest contributing factors has been the COVID pandemic and the pressure it placed on the workforce due to a hybrid work environment. For many companies, the culture of “working remotely” helped speed the adoption of digital transformation initiatives that had been around for a while.

In fact, there have been more changes in the last two years than in the previous decade when it comes to the “authentication journey.” A benefit of this is that people in the workforce are becoming more accustomed to next-generation authentication methodologies and are subsequently more likely to consider it for personal use. This addresses another major point: the challenge of driving user behavior.

While users generally know that passwords are more vulnerable, convincing them to switch to a stronger authentication mechanism is difficult, as they tend to require more effort. But the continued adoption of passwordless authentication technologies is likely to have a spillover effect that will also drive more adoption in consumer spaces.

The problem with passwords

While motivating people to transition from passwords in the customer space remains challenging, there is a growing awareness in the workplace. One might call it a “culture of security awareness,” where there’s a drive towards stronger login and security methods. Adopting things like multi-factor authentication is a good first step.

Companies are driving this switchover, but much of it is employee-driven as well. In today’s workplace, savvy employees are interested in ensuring that the companies they work for do what is needed to protect customer and employee data. This can also be a means of improving the employee experience and ensuring retention.
In addition, passwords are difficult to remember, given the number of accounts and different password rules. This can lead to user frustration as they are locked out of their accounts and are forced to go through the process of confirming their identity to unlock them. This is one of the reasons why companies have developed multi-factor authentication methods to avoid these frustrations.

With many options available – including security keys, biometric info, push notifications, etc. – it is becoming easier for organizations to adopt multi-factor authentication. As a result, it is safe to assume that customers will become more and more comfortable using stronger forms of authentication in their everyday lives. In time, passwords will be removed from the authentication process altogether.

Flexible methods

There are many possibilities for strengthening authentication protocols. About ten years ago, the primary option was a physical security key (aka. a hardware token), which did not work very well. They would get lost or broken, and users found it frustrating to carry them around constantly. More recently, there has been a move to mobile devices, which can still be lost but are generally easier to work with.

For starters, there are Short Message Service (SMS) mechanisms, which are an improvement over passwords but are still prone to security issues. Increasingly, hackers have used this mechanism to go after users’ phones directly, sending them fake SMS messages with links that lead to malware.

Other options include biometrics (like a thumbprint), facial recognition, an RFID card, push notifications, and others that can be used alone or in combination. In short, a much broader range of authentication options is available today, allowing organizations to find the authenticator(s) that best match their specific user and customer requirements.

Multiple authenticators also allow for contingency planning if and when security keys or phones are lost, batteries die, or connectivity is unavailable. This is another trend in organizations today, where employers and employees have backup options ready in case their preferred authentication method is unavailable or not working properly.

Another benefit of having multiple authenticators is the flexibility it offers. For instance, if people travel as part of their job and have to pay to use the local telecom network. Or perhaps they are working within a facility that doesn’t allow phones or smart cards (due to safety concerns). A wide range of options allows organizations and users to handle lost devices, complicating factors, and other contingencies they may face.

Fostering trust

Another important aspect of the authentication journey is the issue of “friction.” When discussing security and user experiences, “frictionless” does not necessarily mean what people think. When logging into a work account, private account, or banking app, going through a few additional steps to ensure one’s identity can be frustrating. For the most part, users desire quick and easy access to their data.

At the same time, having users verify their identity in multiple ways shows that the service provider is taking security seriously and ensuring that threat actors cannot access their data so easily. In other words, a certain level of friction is desirable where important information is involved. To ensure trust, organizations, employers, and service providers must strike a balance between security and user experience.

The importance of this balance also needs to be communicated to the user clearly. They need to understand that going through a multi-step authentication process is to their overall benefit. This, in turn, can increase the level of trust customers have in an organization and encourage brand loyalty.

Encouraging vigilance

In addition, users and customers also need to be aware of how their trust in a certain brand can be used against them. A popular method for hackers today is to send notifications to users that appear to be from a trusted source. These will often offer enticements to click on a link that leads to a website that looks familiar to the user but is designed to harvest credentials.

Another popular tactic hackers use today is to take advantage of what is known as “push fatigue.” Essentially, users will be bombarded by notifications and alerts and simply click on one or more without thinking because they are unwilling or unable to verify the source.

In these two cases, we see how hackers are taking advantage of user impatience and the tendency to trust the familiar to gain access to their data. This makes it vital that service providers and security specialists educate users to recognize legitimate sources and remain vigilant.

Recommended steps

While the transition to passwordless security procedures is already underway, adoption is still limited mainly in larger companies in certain industries. There are many steps that can (and should) be taken to accelerate the authentication journey to make passwordless authentication mainstream. The best way is for organizations to look at the current requirements of their users, employees, and consumers to get an idea about the type of framework they need to put in place. It’s critical to understand the balance of user experience and security for their company.
Second, it is important that users are made aware of how vulnerable passwords are and how having multiple steps in place is a good thing. When the net result is greater security and peace of mind, a little friction is worth it. Organizations also need to encourage 100% compliance among their employees and promote safe practices. In the end, only one or two people need to click on a link in order for an attack to be successful.

In the end, it is all about finding that careful balance between eliminating risk and delivering an improved user journey.

In time, the adoption of stronger authentication methods will have a spillover effect. With such a wide range of options now available, passwordless security measures are becoming  easier to adopt. This trend will continue to grow as even more options become available and we will reach a point where passwordless protection becomes the norm and users do not feel any friction at all.

Today’s workforces and consumers are moving towards a new authentication environment that goes beyond the traditional regimen of passwords and credentials. This new approach leverages technological advances (i.e., biometrics, sensors, machine learning, etc.) to offer greater flexibility and balance security and convenience.

However, the tactics used by hackers are also evolving. In addition to taking advantage of many of these same advances, they also exploit the fact that users today are often overwhelmed by the volume of data they receive, will sacrifice security for convenience, or cannot recognize online threats when they see them.

Now, more than ever, the transition toward a more modern and passwordless security environment must continue. At the same time, there need to be efforts to educate the public on the importance of multi-factor authentication and the type of threats they face today. In the end, sophisticated security measures and a well-informed public are the best way to ensure a safe online experience.