Protecting data will eventually not involve using passwords, judging by a BBC article on why passwords don’t work and what will take their place.
Lately, passwords “have been in the news lately for all the wrong reasons,” said the article, citing the Quora website hack that exposed the passwords of 100 million users and the Yahoo data breach, which exposed data, including passwords, on 3 billion users.
Other notable companies that have recently suffered security incidents resulting in leaked passwords include T-Mobile (2 million passwords), MyHeritage (92 million passwords) and MyFitnessPal (150 million passwords). In fact, 390 million passwords were exposed in some of 2018’s largest data breaches, based on Veridium’s calculations.
Given the problems with passwords, companies are looking to use them less for authentication, said the article. Microsoft, for example, “announced last year that the company planned to kill off the password” and “Gartner predicts that by 2022, 60% of large businesses and almost all medium-sized companies will have cut their dependence on passwords by half.”
“Passwords are the easiest approach for attackers,” Veridium Chief Executive Officer John Spencer said. “People tend to use passwords that are easy to remember and therefore easy to compromise.”
In addition to improved security, eliminating passwords saves IT departments time and money since there aren’t passwords to reset, Veridium told the BBC.
“There is an annual cost of around $200 per employee associated with using passwords, not including the lost productivity. In a large organization that’s a really significant cost,” he said.
Enter biometrics and behavioral information
Biometrics used along with behavioral information will likely replace passwords for authentication, according to the article. While companies preferred to use tokens, passwords and one-time passwords for authentication, there’s greater interest in using biometrics. “According to the 2019 KPMG International Global Banking Fraud Survey, 67% of banks have invested in physical biometrics such as fingerprint, voice pattern and face recognition,” the article said.
While ”biometrics offer a more frictionless consumer experience,” there use was stymied by the need for hardware that could read biometrics. That’s changed as more smartphones come equipped with biometric sensors, the BBC said.
Behavioral information adds another layer of security to authenticating with biometrics. Since individual behavior is nearly impossible to mimic, incorporating it into authentication helps prevent attackers from using a spoofed biometric. Behavioral information includes data like location and purchasing history. It also encompasses behavioral biometrics, which is how people interact with their phones. Behavioral biometrics uses sensors like accelerometers and gyroscopes to collect data on how people hold their phones or the pressure they use to type, among other data.
“Is biometrics going to replace passwords? No, a combination of factors is going to replace passwords, we are and we should be moving toward this,” said Ali Niknam, chief executive of Bunq, a mobile-only bank, in the article.
The FBI recently called for using either biometrics or behavioral data for multi-factor authentication instead of one-time passwords. The law enforcement agency found that attackers had grown more skilled at using social engineering and technical methods to obtain OTPs and decrease the effectiveness of MFA.
Biometrics and behavioral information authentication are starting points
Using biometrics and behavioral information for authentication are just two components of a broader passwordless authentication strategy. Using them individually for authentication won’t help organizations reap the full benefits of going passwordless, like increased security and an improved user experience. That requires taking a holistic approach to authentication and considering these points:
— Is the biometric data being stored securely
— Is a passwordless authentication platform that works in complex IT environments being offered
— Are passwords and the ability to use them for authentication completely eliminated