Person typing on computer keyboard with shield icon showing password fatigue

Fighting Password Fatigue Means Retiring Passwords for Good

Identity has become enterprises’ greatest security and financial vulnerability in 2023, and it’s time to reevaluate the status quo approach. Verizon’s 2022 Data Breach Investigations Report found that 61% of all breaches could be traced back to compromised credentials, a disturbing statistic when combined with research from IBM that estimates the average cost of a successful phishing attack to be approximately $4.9M. This sum includes compliance fines, remediation fees, and financial losses due to damaged reputations.

It’s undeniable that social engineering attacks targeting identities are on the rise. They’re costing companies and users dearly. However, the root cause of this problem can also reveal the solution.

Password fatigue is clearing the way for threat actors

It’s no surprise that 39% of Americans report an elevated level of password fatigue. Consider how many passwords the average consumer must keep track of in the average day; from online banking applications, to favorite streaming platforms, to popular social media accounts, the list is endless and always growing.

But when your every digital interaction begins with – and depends upon – remembering and entering credentials, it’s easy to make lazy mistakes that result in poor digital hygiene. Users often repurpose the same password over and over, meaning once one account is breached, they may all be breached. In fact, NordPass’ 2022 list of most commonly used passwords put “password” and “123456” in the number two spots, which are dangerously obvious to crack or guess. These weak passwords can be breached in less than a second, essentially rendering them as useless as not using a password at all.

Alternatively, password fatigue can even impact responsible users who diligently maintain diversity within their password selection. It’s a problem that snowballs over time – as users open new online accounts, they must continually create new and distinct passwords to maintain good hygiene. But with such a large volume of credentials to remember, it’s easy to forget one, requiring users to increasingly rely on password recovery tools that can be easily manipulated by threat actors. For instance, once a user becomes accustomed to accepting push notifications to reset passwords, they’re more likely to accept one that’s actually been initiated by a cyber criminal trying to access their account behind the scenes. Once they click “allow” on their mobile device, that threat actor gains the keys to the kingdom.

As a result, password fatigue is rapidly becoming threat actors’ greatest weapon when it comes to account takeover. Research shows 62% of Americans who have a high level of password fatigue reported an account of theirs was breached, whereas only 29% of those with low password fatigue could say the same. Password fatigue is dangerous, and it is leaving the door open to threat actors to take control of accounts and wreak havoc.

Combatting password fatigue at the source

The key to relieving password fatigue is removing passwords from the equation altogether. The reality is, where there is a password, there is an easily exploited attack vector open to threat actors. By doing away with phishable factors like passwords, and moving beyond first generation MFA that uses one-time codes, magic links, and push notifications, organizations can remove the burden password hygiene from users and also remove one of cyber criminals’ easiest targets-easily phished authentication factors.

Authentication is evolving beyond passwords and first gen MFA

A new generation of passwordless, phishing-resistant multi-factor authentication (MFA) is rapidly emerging as enterprises’ answer to password fatigue. These solutions replace passwords with phishing-resistant factors like FIDO2 passkeys and device biometrics. More advanced solutions combine phishing-resistant MFA with device posture security checks before granting access to the user with a device that does not meet policy. Top-tier solutions continuously recheck user behavior signals and device security posture, without disrupting for a re-authentication unless something significant changes.

Removing passwords not only takes the power out of threat actors’ hands, but also reduces friction in the user experience, especially as there are no passwords to remember or reset processes to initiate. With this barrier gone, productivity is increased and stress is reduced. After all, how much time has been wasted by the average user frantically inputting slightly different variations of the same password, trying to remember which one applies to which account, and finding a second device to grab an MFA code or respond to a mobile push?

New regulations have emerged mandating the transition to zero trust and the use of phishing-resistant MFA.  Thus, removing passwords and weak MFA from login processes is an easy way for organizational leaders to remain compliant and the single largest vulnerability. While passwordless MFA is still an emerging technology, its adoption has already been eagerly embraced as a category by organizations across industries. CISOs should evaluate available platforms to identify the solution that aligns with their goals, budget, and user needs.

Users are tired – they’re tired of sifting through a laundry list of potential passwords just to log into their work apps. And they’re tired of being constantly reminded that they are one bad password away from a devastating data breach. Password fatigue is truly taking its toll.

It’s time to combat password fatigue once and for all by retiring passwords for good. By embracing passwordless multi-factor authentication, organizations can improve their user experience while removing their greatest security vulnerability. Threat actors lose easy access to complete account takeover or ransomware attacks, and users are free from memorizing an infinite list of credentials. The future is truly passwordless, and it starts now.