The “no password” concept promises to make life much easier for users and security departments. It offers the tantalizing prospect of reducing administrative costs, improving productivity, and reducing cyber risk. However, despite these striking benefits, its implementation for both companies in the B2C sector and the B2B sector (Business to business) has not been as strong as might have been expected.
However, one should at least take note when the world’s largest software company decides to endorse a new technological paradigm. Microsoft long ago described passwords as “inconvenient, insecure and expensive”. In March 2021, the company introduced a passwordless authentication implementation for business customers. And in this year, it announced that it would extend support to all users. Therefore, it could be said that the era of passwordless authentication has finally arrived.
When Passwords are no Longer Right
Passwords have been around for almost as long as computers, and their demise has been predicted many times over. Nonetheless, they’re still in use, securing everything from corporate apps to online banking, email, and e-commerce accounts.
The tricky thing is that we now have too many identifications or credentials to accomplish and remember. One estimation suggests that 57% of US workers have written down corporate passwords on sticky notes, while a 2021 survey by a company found that 49% of users write down their passwords, so they don’t forget them, and 38% do so on paper. And the number is constantly growing as we expand our digital footprint. For reference, an estimate from October 2020 stated that, on average, a person uses around 100 passwords, almost 25% more than before the pandemic began.
From a cybersecurity view, the challenge with passwords is well familiar: They provide attackers with a target that is easy to obtain through theft, phishing attacks, or brute force. Once in possession of the keys, attackers can impersonate legitimate users, bypassing perimeter security mechanisms and remaining hidden within corporate networks for long periods. The time required to identify and contain a data breach is 287 days.
Password managers and methods like Single Sign-on offer some form of containment for these challenges, storing and remembering complex passwords for each account so users don’t have to. However, they are still not universally popular with consumers. The result? Users reuse credentials that are easy to remember across multiple accounts, both for their personal and corporate accounts, leaving them vulnerable to brute force attacks such as credential stuffing.
It’s not just about security risks. Passwords take a lot of time and money for IT teams to manage and can add additional friction to the customer journey. The breaches can require massive reboots in high volumes of accounts, which can delay the user experience in B2B and B2C environments.
How eliminating passwords can benefit your business
In this context, passwordless authentication offers a great leap forward. Organizations can eliminate associated security and administration headaches in one fell swoop by using a biometric authentication application, such as facial recognition or a security code, or a unique code(OTP) sent via email/text. With static credentials.
By implementing this approach for B2B and B2C operations, organizations can:
- Improve user experience: Making logins smoother and eliminating the need for users to remember their passwords. This could even drive better sales if fewer shopping carts are uncontrolled due to login problems.
- Improve security: If there are no PINs or passwords to steal, organizations can eliminate a key vector that compromises security. It is claimed that passwords were to blame for 84% of data breaches last year. At least this will make it more difficult for attackers to get what they want. And in the case of brute force attacks, which currently number in the billions each year, they will become a thing of the past.
- Reduced costs and reputational damage: by minimizing the financial damage caused by ransomware attacks and data breaches. You’ll also reduce IT administration costs associated with password resets and incident investigation. One report indicates that it could cost up to 150 euros ($200) for each password reset and as much as 30,000 hours of lost productivity per year. This is not to mention the extra time spent by IT teams that could be spent on higher-value tasks.
What’s holding back passwordless authentication?
However, “no passwords” is not synonymous with a panacea. There are still several barriers to its implementation, including:
- Security is not 100% guaranteed: SIM swapping attacks, for example, can help attackers bypass one-time access (OTP) codes sent via text message (SMS). And, if attackers can access devices and machines via spyware, they could intercept these one-time codes.
- Biometrics are not foolproof: By authenticating with a physical attribute that the user cannot change or reset, the risk is increased if attackers find a way to compromise the system. Machine learning(ML) techniques are already being developed to undermine speech and image recognition technology.
- User Reluctance: There’s a reason passwords have held up over time, despite their major security shortcomings: Users instinctively know how to use them. Overcoming fear of the unknown could be more easily addressed in a business environment, where users have no choice but to follow the rules. But in a Business to customer(B2C) world, it could create enough additional friction to discourage customers. Therefore, care must be taken to make the login process as seamless and intuitive as possible.
The world is slowly moving towards passwordless Authentication technology as the risk of online threats never looks to stop. In a situation like this, you need to ensure that your organization develops apps with the latest technologies that help your users reduce the likelihood of attacks and promote your product.
Passwordless authentication is the future. Many tech experts predict that 60% of large global enterprises and 90% of midsize companies will implement passwordless authentication methods. IOS, Microsoft, and Android can use passwordless authentication to create single sign-on. Currently, there are already applications such as Windows Hello or global dots to verify the user’s identity.
Deploy passwordless authentication now to reduce the means of attack, improve user experience, and lower operating costs.