A productivity battle is being fought at offices everywhere. On one side is the user, who just wants to file that report or send that email. On the other, is the authentication process that requires using a password to log in to the many tools and services employees need to complete their jobs.A password is needed to access a desktop, a VPN, Dropbox, Outlook, G Suite, Salesforce and pretty much any application that’s used in the enterprise.
“It’s difficult for me to remember a single password, let alone multiple passwords,” said Veridium Chief Product Officer John Spencer. “Passwords are a huge challenge to users, they’re a huge challenge to organizations.”
To avoid committing multiple passwords to memory, people come up with creative password management strategies like writing passwords on Post-It notes affixed to their keyboards, using password managers like LastPass and using the same password across multiple applications and services. While each method improves the user experience, they aren’t the best security practices.
Password management policies add to user frustration
Adding to the already negative user experience workers have with passwords are the password management policies put in place by IT departments to increase security. These policies usually require workers to change their passwords periodically and make them complex by including special characters, numbers and capital letters.
“Remembering one password is problematic. Remembering multiple passwords is problematic. Having to change them every 30 day or so and adding complexity to the format of the password is a huge format for many users,” he said.
Inevitably, employees forget their passwords and contact IT to reset them. This process can prove lengthy and require contacting IT or, in large companies with strict security policies, an employee’s boss.
‘[Password resets] are very expensive for business and can cost significant amounts of money for organizations,” Spencer said.
Password resets can mean people spend their day resetting a password instead of working. Then there are the operational costs to password resets. Password resets cost companies $70 per employee, according to Okta. Veridium estimates that password resets annually cost organizations $1.9 million based on an enterprise with 10,000 employees. Out of all the tasks IT administrators handle, passwords resets probably rank low. Their time could be better spent on projects that add value to the business.
Passwords have a security problem
In addition the productivity issues associated with passwords, they also have a security problem. They aren’t an ideal way to protect data. Passwords are frequently stolen in data breaches or phishing attacks and end up with threat actors who use them in other attacks. Just look at the Verizon Data Investigations Breach Report. Each year it seems to list phishing and stolen credentials as two of the top tactics used by attackers. The 2019 report was no exception: 32 percent of the 41,686 security incidents covered in the report involved phishing and 29 percent involved stolen credentials.
Adding to the security issues around passwords is that people violate a cardinal security rule and reuse them (that’s in addition to other poor security practices like slightly modifying passwords or using common phrases). With credentials commonly exposed in data breaches (Veridium calculated that 390 million passwords were exposed in some of 2018’s largest data breaches), there’s an increased chance that, eventually, a person’s username and password will end up in the public domain. Attackers know that people reuse passwords and that there’s a chance a stolen password could get them into users’ high-value accounts.
To mitigate the security risks associated with passwords, organizations are implementing two-factor authentication. This can take the form of a one-time password sent as an SMS or emailed to a person or a mobile app that generates a passcode. “[Passwords] are so distrusted that companies need to add a second layer of authentication,” Spencer said. “These methods are expensive, but they’re also a necessity.”
Enter passwordless authentication
While passwords frustrate the enterprise world, authentication has evolved in the consumer space thanks to smartphones with biometric sensors. Instead of using a password or PIN to unlock a phone or access a mobile app, people use their biometrics. Passwordless authentication is now the preferred way to authenticate for any mobile related activity.
“It’s easy. It’s convenient. You can’t forget your biometric. We know how to use the technology. We trust it and biometrics are difficult to spoof,” Spencer said. Gradually, this technology is appearing in enterprises, enabling employees to use passwordless authentication at work. By removing passwords from the authentication process, organizations can:
Increase security: Phishing, password reuse and other security risks linked to passwords are mitigated Phishing attacks lose their potency if there aren’t any credentials to con out of employees. And if there aren’t passwords to steal, threat actors can’t use them to infiltrate companies.
Improve the user experience: Employees don’t have to commit multiple passwords to memory (or think of clever password management policies) or come up with new, complex passwords on a frequent basis.
Boost productivity: People don’t waste time trying to remember their password and then contacting IT to reset it when they’re locked out of their email account after multiple failed log-in attempts. Meanwhile, IT departments can handle more important tasks.
Lower costs: The expenses tied to password resets and two-factor authentication are lowered when passwords are eliminated.
Watch the video below to hear more about the benefits of passwordless authentication.