It’s time to get rid of the password for more secure protection

The UK Government announced this month that cyber breaches are at an all-time high with just under half (46%) of all UK businesses identifying at least one breach or attack in the last 12 months.

Finding a way to increase security without negatively impacting employees, partners or customers’ user experience can be a tough balancing act. Put simply, security is not on the top of users’ priority lists, especially when there is critical work to be done.

Tougher password policies result in poor password hygiene (password reuse across multiple accounts, writing down passwords), password resets and increased calls to the IT help desk, all of which increase user frustration.

>See also: Think before you speak: voice recognition replacing the password

Passwords aren’t very good at safeguarding organisations either as 81% of hacking-related breaches leveraged either stolen or weak passwords. There have been thousands of recent documented breaches of large household names, for example the LinkedIn breach where 160 million usernames and passwords were stolen.

These credentials are then used to gain access to other sites and services causing further harm. No matter what the level of education and strong password policy involved, once the bad actors have a valid set of credentials they can walk in through the front door to get assets and information.

Unless something changes, 2017 will only see more of the same. Single-factor, password-based authentication – and even many traditional two-factor authentication (2FA) approaches – are evidently no longer enough in today’s increasingly digital world.. A new approach to authentication must be sought.

>See also: World Password Day: a game of “fact or fiction”

Forward-thinking industry professionals recognise that it is time to move beyond the password. At the end of last year, SecureAuth surveyed IT decision makers and found that 83% predict that their organisations will be passwordless in five years’ time.

It’s not much of a surprise that millennials are leading the trend, with nearly half (49%) believing their organisation will do away with passwords, compared to only a third (32%) of 35-54 year olds. The prodigious breaches of 2015 and 2016 have had an effect – they understand the need for a paradigm shift in authentication.

In fact, IT decision makers predict their organisations will be implementing physical biometrics (49%), device recognition techniques (30%), and geographic capabilities (29%). All of which are possible through adaptive authentication techniques.

This new modern approach to authentication is made possible by using something you have (such as a mobile phone), and something you are (biometric fingerprint) and layering it with risk-analysis checks. This includes techniques such as whether the device is familiar and trusted, or if an IP address is good, as well as analysis of the geographic location, plus many others. These risk-analysis checks work behind the scenes and invisibly to the user, so there is no extra step and there is no compromise to security.

>See also: The need for better password security

As a result, the login experience doesn’t have to be bad. Users no longer have to remember multiple passwords for different accounts that are 12 characters long, include an uppercase letter, numbers and symbols. Or have the additional cumbersome step to take with some two-factor authentication methods.

Forcing a user to jump through additional security hoops at every login attempt is an old method that has plagued the security industry for far too long. But recent innovations in this space means organisations can strike the balance between strong security and great usability with secure passwordless authentication. Preventing the misuse of stolen credentials solves more of a business and security problem than a security problem alone.

>See also: Password ignorance will lead to cyber attacks

The passwordless approach uses methods convenient to the user to authenticate, layering security checks in the form of risk-analysis that executes in the background. This both improves the user experience, reduces the calls (and cost!) at the IT helpdesk, while maintaining a strong security posture, thwarting attackers attempts and preventing the misuse of stolen credentials.

Modern approaches bring greater security to organisations and users, while not bothering authorised users unless there is a high risk score. This fundamentally new approach integrates with existing infrastructures to perform risk-analysis and identity-based threat detection that simultaneously strengthens prevention, detects threats and works invisibly to the user. Users must buy in to help companies close the front door to prevent becoming the next mega breach in the news.


Sourced by James Thompson, VP EMEA at SecureAuth


The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...