How To Do Away with Passwords

How many passwords do you have? You likely have more than you can remember. In fact, users often have upwards of 90 online accounts and reuse 51% of their passwords. If you can remember all your passwords, it is likely that you reuse a portion of them, which is a serious risk for losing personal information. As more businesses are connecting to their users through online accounts, username and password combos are rising while password reliability and security are decreasing; anyone can access your account with the right credentials. Due to this vulnerability associated with shared, personal information, companies worldwide must take steps to do away with passwords. Here is what you and your company should know to do away with passwords.

The Cost and Inconvenience of Passwords

When it comes to protecting our personal data, users should prioritize security and convenience. Unfortunately, current password practices are inconvenient and even increase privacy breaches. Users that have many online accounts will find that juggling 90+ unique passwords is a nightmare. Even worse, computers can run through all possible combinations of a weak password in less than a second.

Keeping tabs on such a massive number of passwords can put users into password overload, in which there are too many passwords to manage. On top of that, some apps still require users to frequently reset passwords for “security.” This leads to either continuously creating weak passwords or reusing passwords. In this sense, sharing passwords across multiple accounts is like giving a hacker a skeleton key if your data is breached.

In the case of maintaining multiple passwords, a user may forget one and call the app’s help desk for a password reset. Companies can spend up to $70 in labor cost for a representative to reset a single password. The cost of this service, factoring in long wait times, call transfers, angry customers, and technological errors results in potentially millions of dollars per year. In 2018, Microsoft’s director of program management noted that $2 million was spent a month helping users change passwords through help desks. Not only do passwords make for terrible user experiences, but it can also be costly for the companies involved.

Understanding Passwordless Authentication

Forms of authentication can be categorized into what you have (a smartphone, for example), what you know (password), and who you are (biometrics). Biometrics, in technology, are devices that use bodily identifiers such as fingerprint or facial recognition to authenticate. Companies that enable two-factor authentication (2FA) require two of these authentication forms. Usually, 2FA requires something you have and something you know: ATM machines ask for your credit card (something you have) and the associated PIN (something you know). As companies and apps move away from passwords these requirements can shift to including something you have/know and who you are.  Other alternatives to passwords have varying levels of security, but all provide higher security than standalone passwords.

Large companies such as Google are already partnered with the FIDO Alliance to implement 2FA in their web services. FIDO aims to enable 2FA as the standard login method, replacing password-only logins. Their authentication service creates a private key pair with a user’s device upon registration, and a public key shared with FIDO. The users’ identities are authenticated when they can prove possession of the private key (device) and complete a local unlock (PIN, biometrics, etc.). Some businesses interestingly pair this 2FA method with single sign-on services, sacrificing some privacy and security. This goes to show how crucial convenience stands in relation to security.

Process To Do Away with Passwords

“People generally are resistant to change, even if it’s positive.”

Encourage password manager apps. While the safest practices suggest moving away from legacy authentication, password managers are the very least for improving security. Password managers like LassPass or 1Password store your passwords in an encrypted form so only you can access them with a master password.

Pros

• Users only need to remember one password
• Can keep track of virtually infinite passwords
• Each password can be as complex, arbitrary, and long as you want

Cons

• Users may forget master password
• Users need to pay for service
• Hackers will have access to everything if master password is compromised

FIDO2 Integration. Connect your business with FIDO (Fast Identity Online) to enable 2FA and biometric logins. FIDO uses web authentication (WebAuthn) allowing it to be used through standard Application Programming Interfaces. Browsers supporting WebAuthn invite Client to Authenticator Protocol (CTAP), which expands FIDO authentication to external devices. Learn more about FIDO here.

Pros

• Login credentials are unique to every website and are encrypted
• Private keys and credentials are stored locally on your device, not a server
• Super-fast and convenient biometric options

Cons

• Biometrics cannot be changed like passwords if compromised
• Very dependent on both hardware and software

DIY Passwordless Authentication. Instead of relying on third party apps and services to promote passwordless login, you could code it yourself. This method also eliminates using credentials to login by replacing them with encrypted temporary tokens, similar to keys. These temporary tokens are created upon each authentication request and stored in the browser, comparable to one-time passwords.

Pros

• Customizability with access to source code
• All data can be kept localized

Cons

• Must have coding knowledge (HTML, Javascript)
• Can be time consuming and inconvenient for the company

Protecting User Privacy. In addition to changes to login processes, companies can alter their apps to limit data collection. Protecting user privacy might include turning off personalized ads on the app, recommending browser use instead of apps (biometrics are increasingly becoming available on browsers), and encrypting apps using software like Folder Lock or CryptoExpert.

Pros

• Little to no additional steps for user
• Supports a more secure passwordless login

Cons

• Browser use is typically less preferable than apps

Implement humanID. humanID verifies your identity through SMS messaging. A unique, encrypted identifier is created for users and their phone number is erased from humanID databases. The identifier is hashed, thus irreversible and much harder to be intercepted. 

Pros

• Completely anonymous
• Fast and secure
• Great for user experience

Cons

• Users may prefer other third-party logins that they are already logged into

Conclusions

So are passwords going away for good? Most likely, not yet. The unintended consequences and complications of passwords will still need much more work. However, more companies are taking steps to transition away from passwords as primary logins. Until more practical methods are widely available, apps will still likely need passwords in case passwordless authentication fails. The goal of passwordless is to eliminate the cumbersome task of managing multiple passwords. Transitioning away from legacy authentication starts with 2FA and introducing options like biometric login. Doing so dissuades users from creating weak passwords or reusing them which would give hackers a freebie at credential stuffing.

Companies also need to consider implementing strategies to enhance privacy, minimizing data collection. Considering the lack of security with the current state of passwords, it might be wiser to assume that a data breach is inevitable and plan accordingly. This Zero Trust mentality encourages companies to take precautions against hackers who may target consumers and leak data. Thus, one should consider humanID when thinking about enhancing privacy within user logins. humanID is the superior option, offering anonymity and convenience. Your business’s enhanced security will bring more satisfied users and cut costs on help desk calls.