As time moves on and we reflect on how we’ve gone about authentication over the decades, the password has been our primary gatekeeper, shielding our online profiles, personal information, and critical financial details. Now don’t get me wrong, we’re exceptionally thankful for all that passwords have done for us; but, as things progress, we’re discovering a glaring issue: passwords, as we know them, are rapidly becoming an outdated and unreliable method of authentication. Here are some of the most common shortfalls…
Predictable Choices: Despite constant warnings, many users opt for painfully predictable passwords like “123456” or “password.” Such choices make unauthorized access child’s play for seasoned hackers.
Over 50% of users admit to using the same password for multiple accounts, and 13% alarmingly use one for all their accounts. This type of behavior means that if one account gets compromised, all others are at risk as well. Yikes.
Websites like “Have I Been Pwned?” document the hundreds of millions of account details exposed in data breaches, many of which include weakly hashed or plain-text passwords. Log into LinkedIn any day of the week to read about the most recent breach. All industries are at risk and susceptible to attack.
As per the 2023 Data Breach Investigations Report, 32% of breaches involved phishing. Unsuspecting users are often tricked into voluntarily giving away their passwords. Even small businesses are at risk these days…except for those that read our blog about how to preventing phishing as a small business.
Modern computational capabilities mean that billions of password combinations can be tried in seconds by sheer brute force, further diminishing the protective capacity of the humble password.
It’s not uncommon to spot passwords jotted down on sticky notes, shared excel docs, or stored in unprotected digital notes, nullifying even the most complex password’s effectiveness. I’m sure you’ve seen some of your colleagues around the office with a post-it notes stuck to their monitor with “PW: XXXX to login to” virtually all of their systems. Not exactly the most secure storage method available to today’s moder employee, and something we certainly need to be aware of as we attempt to increase our cybersecurity posture.
Despite two-factor authentication being a increased layer of security, a vast majority of users haven’t activated it. A mere 28% of Microsoft users, for example, had set it up by 2022. This reluctance can be attributed to a bunch of factors: some users find it cumbersome, others might be unaware of its benefits, while a significant number may simply not know how to set it up. Regardless of the reasons, this low uptake underscores the pressing need for more user education and streamlined 2FA processes.
Password reset questions remain an Achilles’ heel. Answers like “mother’s maiden name” can be unearthed with a simple glance at one’s social media, making password recovery options a potential entry point for malicious actors.
As hard as we try, some habits seem resistant to change. For instance, many individuals use the same password for an extended period, often up to ten years. Despite this, several conventional security guidelines continue to suggest changing passwords every 90 days. But, it’s worth noting that modern cyber threats are so advanced that bad actors can exploit and utilize passwords in as little as 15 minutes.
Tech giants like Microsoft are re-evaluating these traditional stances. Instead of advocating for routine password changes, they’re now steering the conversation towards a passwordless future. This transition reflects a growing sentiment in the tech community: our age-old strategies for securing digital identities need revamping to meet the demands of today’s security challenges.
Given these vulnerabilities and the increasing sophistication of cyberattacks, it is clear: the traditional password system isn’t enough to secure ourselves anymore. Companies must prioritize safeguarding their users’ data, and clinging to an old method of authentication simply won’t suffice. In order not only to survive, but to thrive in our modern digital ecosystem, it’s virtually inevitable that you’re going to need to adopt some type of passwordless authentication across your organization. Here’s a glimpse into some of the most common forms of passwordless authentication available to EVERYONE at surprisingly low costs.
Enhance security by offering robust resistance to phishing attacks, as they require the physical key to authenticate. Unlike traditional credentials, they are immune to man-in-the-middle attacks due to cryptographic challenges tied to specific site domains. Additionally, they eliminate the risk of shared secrets being intercepted or stolen since the private keys never leave the device. Companies like Yubico (https://www.yubico.com/works-with-yubikey/catalog/keytos-ezsmartcard/)are leading the charge on the hardware front and are perfectly complimented by onboarding technology like our very own EZCMS!
PIV smart cards offer increased security by embedding user credentials directly onto a physical card, making it difficult for attackers to duplicate or phish. They enable strong multi-factor authentication, combining something the user has (the card) with something the user knows (a PIN). Additionally, with cryptographic operations performed on-card, they ensure that sensitive data, like private keys, are never exposed. Smartcard authentication has had a bad name due to its difficulty to implement but did you know that Azure released Azure CBA an easy way to enable smartcard authentication this modern method paired with Keytos’ turnkey smartcard solution from printing to shipping to the onboarding make smartcard one of the easiest ways to go passwordless.
Phone authentication promotes security by leveraging a user’s mobile device as a verification tool. Authentication apps, phone-based methods add an extra layer of protection. It’s based on the principle of something the user has—their phone. This makes unauthorized access more challenging since an attacker would need physical possession of the phone or a way to intercept its communications.
It’s unlikely you’ve made it this far without being somewhat convinced that going passwordless is the way to go. However, if you’re still on the fence about it, watch this video from our partners at Yubico that shows just how easy it is to “socially engineer” an attack on our organization. Something as inconspicuous as a phone call to an unassuming engineer can compromise your entire organization.
…and if you’re still not sold on the idea, allow me to point you in the direction of our ROI calculator. See exactly how much time and money are wasted every year maintaining an insecure method of authentication.