
A future without passwords is closer than ever
24 May 2022Passwords are one of the simplest authentication methods we commonly use, however they’re not secure. Fortunately, alternatives will be available in the future. In general, we tend to choose passwords that are short and easy to remember (but also to guess) and, as we use them for a wide range of websites and online accounts, we often reuse the same passwords for different sites. Password managers, which help create and manage unique, long and complex passwords, are a good solution to improve security. However, only the tech-savvy tend to use these tools, leaving everyone else vulnerable to security threats.
Passwords have historically been the standard for securing online accounts, yet they are fast becoming outdated, for two obvious reasons. First, with no additional layer of security, if someone guesses the password they can access all your personal data (more than 60% of data breaches are the result of compromised passwords, as described in the “2021 Data Breach Investigations” report by Verizon). One solution can be to employ multiple factor authentication, which significantly reduces the risks. When users use the same passwords, the risk of breaches increases, and if cybercriminals are able to access one account, they can use passwords and personal data to access others.
Sites such as HavelBeenPwned focus awareness on how often the same accounts are exposed repeatedly and often with the same passwords, putting victims in danger of having their accounts compromised. The high security risk associated with the use of passwords and the consequent increasingly higher cost of IT security is an aspect that needs to be taken into consideration. However, there are other costs involved, for example customer service.
Even though the password reset process is managed digitally via a DIY service, many users still prefer to call telephone support. Research by Futurae, conducted on more than 100 banks around the world over the past four years, shows that approximately 40-45% of calls to financial service providers’ help centres are related to password reset problems. The cost of handling these calls in terms of human resources can exceed the hundreds of thousands of dollars a year. According to Gartner, a 5 minute call to a service centre costs an average of 25 euros. Therefore, 20,000 calls a year is equivalent to a cost of half a million euros for a large financial services provider.
There are authentication solutions on the market today that eliminate passwords and authenticate users by other means. This process is known as passwordless authentication. How does it work exactly? In general, it begins with the user entering their username (or a button that directs the user to login with the previously-entered credentials). After that, passwordless authentication can be implemented in a number of ways. For instance:
- receive an email with a confidential link that the user can open to log in;
- receive an SMS containing a one-time code that the user needs to enter on the login page to successfully authenticate;
- receive a push notification and approve the login via mobile app (sometimes also called authenticator or trusted apps) running on the user’s phone or, alternatively, scan a QR code that requires the user to approve that specific login. The authenticator app is associated with the account in advance, and acts as a trust anchor that can be used to login from other devices, applications or browsers. If the user’s phone is equipped with biometric authentication (for example on iOS devices, fingerprint reading via Touch ID or facial recognition via Face ID), the authenticator app may require an additional step to approve the login.
So is passwordless authentication secure? It depends on the method used and who is trying to perpetrate a cyber attack. Methods based on email authentication depend on the security of the email account, which often also relies on passwords. In this case, enabling 2FA (2-factor authentication) for your email account undoubtedly helps increase security. Authentication via SMS is linked to the security of SMS messages, which are proven to be vulnerable to interception (the attack leverages the weak points in the telephone network to intercept SMS messages) and attacks by SIM replacement (through social engineering, the attackers gain access to the activated SIM with the user’s phone number, allowing them to receive the SMS intended for the user).
Probably, login approval via an authenticator app is one of the methods that offers the highest security and which, combined with biometric readers already available on the device (or in their absence, with at least a PIN), offers a passwordless 2FA experience. A cybercriminal who wants to login to your account needs to access your phone (the first factor, which is something you have) and then bypass the biometric authentication on your phone (the second factor, which is something that proves it is you). So be careful: make sure you only approve login attempts that you actually initiated yourself. Don’t automatically approve any login requests that come via your app, as you may unknowingly approve an attacker’s login attempt.
However, using passwords to log in to customer platforms still remains a source of friction and frustration for users. Remembering and managing passwords is a tedious operation that disrupts the user experience, often involving a cost for the organisation in terms of customer support services. In cases where customers become more demanding in terms of security and seamless user experience (UX), adopting a passwordless approach allows businesses to satisfy both demands. The main result of eliminating passwords is therefore to improve both UX and security.
Oscar Giacomin / General Manager, Facto Edizioni
© All rights reserved