We all hate passwords. That’s not a revelation. We all have too many, we can’t keep track of them, they are the top source of breaches, they cost organizations billions and Verizon reminds us every year of this!
So why are they so difficult to get rid of?
For the most part, it’s because up until recently there was nothing better. Passwords – a shared secret – provide a common way to authenticate across any device. But it’s a single factor that is easily compromised and no longer practical in our digital world where we have to remember, on average, 90 of them. To get around the inherent security weaknesses and user experience issues, companies have invested in risk signals, OTPs, session cookies and other add-on strategies. But at the end of the day, there is still an underlying password that can be compromised, and causes user friction.
The good news is that over the last 5 years, the fabric of identity and authentication has been undergoing a wholesale upgrade from username and passwords to cryptographic keys – aka FIDO. What that means is that you can replace 2 weak factors (for example passwords and OTPs) that are both vulnerable to phishing attacks (and both add friction!) with a strong multi-factor approach that is more convenient and more secure at the same time. Those factors are 1) the device that people already have (their phones, their PCs, their tablets) that are now cryptographically bound and 2) the user verification performed by the device (e.g. fingerprint sensor, facial recognition, PIN).
The FIDO protocols make it possible to replace passwords with strong multi-factor authentication that is very user friendly – a swipe of a finger, a look into your phone’s camera, typing your Windows Hello PIN, etc. Most users prefer these alternatives – Apple made them popular when they introduced TouchID. Most companies have implemented biometrics in their mobile apps to alleviate some of the password friction. Very often, however, the password is simply cached so that approach provides no improvement to security. And, when the user authenticates to the web version of an application either on their phone or PC, they’re back to… you guessed it… the annoying password.
Up until last year, one of the excuses for sticking with passwords was that Apple wasn’t on board yet with FIDO – so the puzzle was incomplete. That’s no longer the case as Safari now supports FIDO – joining Microsoft, Google, and Firefox Mozilla in the quest to eliminate passwords. Now that FIDO adoption across the ecosystem makes it practical to extend the “TouchID” concept to any device and channel, we can finally scrape off the gum. Can’t we? The challenge is that while it seems like a no-brainer – easier, more secure — it’s a change. Digital transformation requires cross functional support. Each stakeholder must understand the value to their organization, and why it makes sense to take a strategic, new approach versus more tactical add-ons. The organization must also have a clear roadmap for moving from the legacy approaches to the new paradigm — what I call “transition vision”.
Stay tuned for my next blogs where I’ll discuss aligning internal stakeholders on the many business benefits, the value of a strategic approach, as well as best practices for embarking on your journey to passwordless.