Face it, no one likes passwords. Several years ago, Microsoft described passwords as, “inconvenient, insecure and expensive.” Since then, the company has worked towards a passwordless world. In early 2021, Microsoft introduced passwordless authentication for business clients. In September of this year, the company announced that support would be extended to all users. But what does this really translate to?
Passwords and password storage
According to one estimate, 57% of the US workforce writes passwords down on sticky notes. Sixty-six percent of workers have lost said sticky notes, resulting in significant business risk. Fifty-one percent of employees store passwords in an app or a document on their desktop. Others continue to store passwords in journals or notebooks, which can be easily identified and stolen by malicious actors.
More than 60% of workers report that they have provided a colleague with a work-related password via email or text message; communication channels that hackers can intercept. Nearly 50% of employees say that employers suggest for everyone to share a password for a given account.
Cyber security and passwords
Attackers who guess, steal or otherwise obtain passwords can gain access to bank accounts, social security numbers and other valuable personal data. In some cases, hackers leverage passwords to access network systems, remaining hidden within the network until they can obtain information that allows for an even more lucrative exploit opportunity.
Password managers can help people store and manage passwords, but they’re not universally accepted or well-liked. Consequently, a large swath of employees and individuals recycle easy-to-recall passwords across platforms. In turn, employees can expose organizations to undue security risk.
Will passwordless authentication make security operations and security teams less heavily dependent on individual employee behaviors? Passwordless authentication options range from facial recognition, to use of a security key, to use of unique codes sent via email or text message. Advocates of passwordless authentication state that this move can:
- Improve user experiences. Employees may be more productive due to easier access to certain accounts, or consumers may be more inclined to make purchases from certain online stores.
- Improve security. Last year, more than 80% of breaches may have occurred due to password-related mishaps.
- Reduce costs. In addition to the fact that fewer security incidents mean fewer cleanup costs, businesses can actually suffer productivity losses due to routine employee password resets. If 10,000 employees each spend 5 minutes resetting passwords every month…That adds up.
Passwordless is not a panacea
Passwordless authentication can pose its own unique set of security challenges. For example, once biometrics are stolen, reset is all but impossible. In using other forms of passwordless authentication, issuing replacement tokens or devices can eat into resources. Lastly, employees may find new processes frustrating or annoying to get used to, meaning that employers that intend to shift towards passwordless authentication should take care to make passwordless login seamless.