Why are passwords so difficult to replace?

Nic Sarginson, Principal Solutions Engineer at Yubico outlines how the dangers of passwords should be a wake-up call for businesses and employees engaging in risky password activities.

This year, World Password Day was an annual reminder of the importance of online security was even more acute. We’ve all relied on digital services for more than usual, with hybrid work environments, online shopping and digital banking the norm for many in lockdown. Strong passwords and robust password practices are the absolute minima for securing online identities, but time and again, they’ve been proven inadequate as a single line of defence. 

Passwords have grown beyond anything that we could have imagined from their humble beginnings in small, internal networks where there was an inherent level of trust. Now, we use them all the time, and they’re no longer up to the task. Enterprises have realised this – arguably too late – but passwords are so deeply embedded in processes and systems and user psyche that people continue to rely solely on them. 

Risky password practices

Yet, research shows us that 39 per cent of people reuse passwords across workplace accounts and, even more worryingly, that 51 per cent sometimes or frequently share passwords with colleagues. These are risky behaviours that leave enterprises vulnerable should a password become compromised. 

Even passwords that meet the criteria to be considered strong, by being unique and complex, have weaknesses. They’re not invulnerable to modern phishing attacks, and their apparent strength is wiped out if people write them down on a post-it note or document that can be accessed easily. 

It’s easy to blame the user for all of this. People are told that they should choose unique and complex passwords. They shouldn’t keep a record of them anywhere. They should change them regularly. Such an outlook completely misses the point of the user experience. Authentication should be frictionless. Strong, yes absolutely, but also usable otherwise, people will find workarounds to do what they need to do. That will involve keeping records of passwords, reusing them and even sharing them.  

World Password Day should be a wake-up call 

It is time to strengthen authentication practices and put the needs of those being authenticated at the heart of a new approach. Enterprises should deploy multi-factor authentication (MFA) in their organisations because it uses more than one way to confirm a user’s identity. Typically, a password is still the first check, but this is supplemented with additional factors such as a one-time password (OTP), a security key, or a biometric identifier such as a fingerprint. 

Fortunately, there are signs of MFA progress. Nearly three-quarters (74 per cent) of respondents to a Yubico/451 Research study said their organisations plan to increase spending on MFA this year. They are deploying mobile OTP authenticators (58 per cent of respondents), biometrics (54 per cent), mobile push-based MFA (48 per cent) and SMS-based MFA (41 per cent).

The main driver for this is, of course, increased security. Yet, the same survey raises some alarm bells around the user experience. User convenience features low in the main reasons for adopting MFA – mentioned by only 16 per cent. In fact, the user experience was actually the main concern or drawback in deploying MFA for 43 per cent of respondents.

The MFA user experience

Enterprises should recognise the importance of usability in the take-up of enhanced security. After all, research shows most individuals will only adopt new technologies that are easy to use and that significantly improve account security.

The challenge is to balance heightened security with usability and convenience, and here, more needs to be done to achieve a meeting of minds between IT and users. While mobile apps and SMS-based MFA are popular choices among our surveyed managers and IT professionals, our earlier study revealed that 54 percent of individuals feel that SMS or mobile apps disrupt their workflow and 23 percent find them very inconvenient.

Hardware-based MFA security keys provide another way. Employees register their key with the applications and devices they use. When they log in, they present the key as part of an authentication process that proves they are who they say. This approach introduces something the user has into the authentication workflow instead of relying solely on something they know (a password) with all the shortcomings we know. Complex cryptographic actions occur in the background, proving not only that the user is who they say they are but that the service they are connecting to is also genuine. Advanced protection, for both the user and the enterprise, occurs, yet the user’s experience is a simple touch or maybe PIN entry.

READ MORE: 

Companies need clear IT security roadmaps to take them from current inadequate password practices to stronger security for better protection. Passwords have proven surprisingly resilient as digital has occupied an ever more central role in our lives, but they aren’t difficult to replace with the right technology. Now, given how work and home networks and flows are blending, it is time to act.  

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Rise of the machines.

Ahsan Zafeer • 26th November 2022

Ahsan Zafeer covers topics related to tech and digital marketing and tweets @AhsanZafeer. Here he explains people’s fears as to why machines are taking over their jobs.