Could Data Protection Day 2020 mark the beginning of the end for passwords?
Password-based security systems are inconvenient and vulnerable, but resilient to change. Replacing them with new techniques would be good news for users and administrators alike.A lot has changed in the cyber-security landscape since the Council of Europe first launched Data Protection Day on 28 January 2006. However, much has also remained the same - especially when it comes to authentication.
Even if there have been substantive improvements made in biometrics, public key cryptography and other advanced methods of authentication, passwords have proven to be impressively resilient. As we enter the new decade, it’s high time to address the fact that this shared secret model of password-based authentication is holding data security back in a way that is becoming unsustainable.
Today, the average consumer has dozens of accounts online, with a handful of often recycled passwords ‘protecting’ them. Not only is this a nuisance, it is also an incredibly potent security risk, as the information sitting between hackers and valuable data is stored on centralised databases that can be easily intercepted. Once hackers gain access to the information, they can use it for password spraying, credential stuffing and other attacks leading them straight into users’ accounts.
Even among IT professionals, who should lead the way when it comes to secure authentication, 69 per cent admit to sharing passwords with colleagues and over half reuse an average of five passwords across business and personal accounts, according to a survey released last year.
With nearly 50 per cent of shopping cart abandonment being due to password issues (according to a Visa study) and a large proportion of costly IT support calls within enterprises related to passwords, weak authentication is also becoming an economic burden for many businesses.
In short, there is a clear financial and reputational need to incentivise new authentication methods that eliminate our reliance on password-only technology.
There are clearly many benefits that come with transitioning towards the use of password-less authentication. For starters, it considerably improves user experience and decreases costs associated with password management and data breaches. From the IT practitioner’s perspective, it favours interoperability, unlocking value within and across businesses and public services, while supporting the digital transformation efforts needed to reap the benefits of the platform economy. Security professionals’ lives also become a bit easier, as numerous attack vectors such as phishing attacks are eliminated.
Businesses that are holding off on adopting more secure and efficient authentication methods will have to update their practices eventually. Authentication is the cornerstone of secure digital transformation for businesses and beyond that a pillar of the Fourth Industrial Revolution: from Internet of Things devices requiring authentication for machine-to-machine communication, to artificial intelligence that will be used both to secure and bypass authentication systems, and even blockchain, for which trustworthy authentication is the key to mass adoption. As these technologies become more readily accessible, passwords will become increasingly obsolete.
Accelerating the adoption of sophisticated authentication methods will require leading industry stakeholders to continue to commit to creating and implementing technical standards and established best practices, which can also inform emerging government regulation around this technology.
Luckily, this is already happening, with wide-ranging standards for multi-factor authentication and biometrics already being in place, revolutionising the way that consumers log into their accounts. This industry-backed approach presents a user-friendly approach to public key cryptography that allows consumers to log in directly through the leading browsers, phones and PCs which they already use on a daily basis, without wasting a single second on password management.
While it is not realistic (nor necessary) to expect organisations to be able to eliminate all passwords overnight, tangible steps need to be taken to decrease any dependence on them - if for nothing else, at least to shore up the security of user data and establish trust for how it is handled.
It’s in everyone’s interest for this new rising tide of strengthened authentication to lift all boats and to build the foundation for a world without a reliance on passwords.
Andrew Shikiar is executive director of the FIDO Alliance.