The most pressing concerns for businesses and consumers today are the threats of identity theft, collection of personal information and fraud. Given the multiple attack vectors available to hackers, businesses and government agencies are looking to transition to more modern forms of authentication that can close the security gaps created by the continued use of traditional authentication methods. username and password.
Although passwords remain the most widely used form of authentication, they are also the most common source of identity breaches. For hackers, passwords (and password databases) are the best way to break into a system, exfiltrate personal information, spread malware, and compromise individual accounts or entire networks.
In recent years, there has been a significant move towards multi-factor authentication as a way to combat account takeover through the continued use of password-based authentication methods. One of the major contributing factors has been the COVID pandemic and the strain it has placed on the workforce due to a hybrid work environment. For many companies, the “remote work” culture has helped accelerate the adoption of digital transformation initiatives that have been around for some time.
In fact, there have been more changes in the past two years than in the previous decade when it comes to the “authentication journey”. One benefit of this is that employees are becoming more accustomed to next-generation authentication methodologies and are therefore more likely to consider it for personal use. This responds to another major point: the challenge of managing user behavior.
While users generally know that passwords are more vulnerable, convincing them to switch to a stronger authentication mechanism is difficult, as they tend to require more effort. But the continued adoption of passwordless authentication technologies is likely to have a ripple effect that will also lead to greater adoption in consumer spaces.
The password problem
While motivating people to pass passwords into the client area remains difficult, there is growing awareness in the workplace. You could call this a “security awareness culture”, where there is a trend towards stronger login and security methods. Embracing things like multi-factor authentication is a good first step.
Companies are driving this shift, but much of it is also driven by employees. In today’s workplace, savvy employees want to make sure the companies they work for are doing what’s necessary to protect customer and employee data. It can also be a way to improve the employee experience and ensure retention.
In addition, passwords are difficult to remember, given the number of accounts and different password rules. This can lead to frustration for users as they are locked out of their accounts and are forced to go through the identity confirmation process to unlock them. This is one of the reasons why companies have developed multi-factor authentication methods to avoid these frustrations.
With many options available – including security keys, biometric information, push notifications, etc. – it is becoming easier and easier for organizations to adopt multi-factor authentication. Therefore, it is reasonable to assume that customers will become increasingly comfortable with using stronger forms of authentication in their daily lives. Over time, passwords will be completely removed from the authentication process.
There are many possibilities to strengthen authentication protocols. A decade ago, the primary option was a physical security key (i.e., hardware token), which didn’t work very well. They got lost or broke, and users found it frustrating to constantly carry them around. More recently there has been a move towards mobile devices, which can still be lost but are generally easier to use.
For starters, there are Short Message Service (SMS) mechanisms, which are an improvement over passwords but still subject to security issues. Increasingly, hackers have used this mechanism to attack users’ phones directly, sending them fake SMS messages with links to malware.
Other options include biometrics (like a fingerprint), facial recognition, RFID card, push notifications, and others that can be used alone or in combination. In short, a much wider range of authentication options are available today, allowing organizations to find the authenticator(s) that best suit the specific needs of their users and customers.
Multiple authenticators also allow for contingency planning if and when security keys or phones are lost, batteries run low, or connectivity is unavailable. This is another trend in organizations today, where employers and employees have backup options ready in case their preferred authentication method is unavailable or malfunctions.
Another benefit of having multiple authenticators is the flexibility it provides. For example, if people are traveling for work and need to pay to use the local telecommunications network. Or maybe they work in a facility that doesn’t allow phones or smart cards (for security reasons). A wide range of options allow organizations and users to manage lost devices, complicating factors, and other contingencies they may face.
Another important aspect of the authentication journey is the issue of “friction”. When talking about security and user experiences, “frictionless” doesn’t necessarily mean what people think. When logging into a business account, private account, or banking app, it can be frustrating to go through a few extra steps to make sure you’re identity. For the most part, users want quick and easy access to their data.
At the same time, the fact that users verify their identity in multiple ways shows that the service provider takes security seriously and ensures that hackers cannot access their data so easily. In other words, some level of friction is desirable when important information is involved. To ensure trust, organizations, employers, and service providers must balance security and user experience.
The importance of this balance must also be clearly communicated to the user. They should understand that going through a multi-step authentication process is in their overall interest. This, in turn, can increase the level of customer trust in an organization and encourage brand loyalty.
Additionally, users and customers should also be aware of how their trust in a certain brand can be used against them. A popular method for hackers today is to send notifications to users that appear to come from a trusted source. These will often offer incentives to click on a link that leads to a website that looks familiar to the user but is designed to harvest identifying information.
Another popular tactic that hackers use today is to take advantage of what is known as “push fatigue”. Essentially, users will be bombarded with notifications and alerts and will simply click on one or more mindlessly because they are unwilling or unable to verify the source.
In both cases, we see how hackers take advantage of users’ impatience and tendency to trust the familiar to access their data. It is therefore vital that service providers and security specialists educate users to recognize legitimate sources and to remain vigilant.
While the transition to passwordless security procedures is already underway, adoption is still limited, primarily in large enterprises in certain industries. Many steps can (and should) be taken to speed up the authentication journey to make passwordless authentication mainstream. The best way for organizations is to look at the current requirements of their users, employees, and consumers to get an idea of what kind of framework they need to put in place. Understanding the balance between user experience and security is essential for their business.
Second, it’s important for users to know how vulnerable passwords are and how good it is to have multiple steps in place. When the net result is greater security and peace of mind, a little friction is worth it. Organizations should also encourage 100% compliance among their employees and promote safe practices. Ultimately, only one or two people need to click on a link for an attack to succeed.
Ultimately, it’s about finding that careful balance between eliminating risk and improving the user journey.
Over time, the adoption of stronger authentication methods will have a ripple effect. With such an array of options now available, passwordless security measures are becoming easier to adopt. This trend will continue to grow as more options become available and we will reach a point where passwordless protection becomes the norm and users feel no friction.
Today’s employees and consumers are moving towards a new authentication environment that goes beyond the traditional regime of passwords and credentials. This new approach leverages advancements in technology (i.e. biometrics, sensors, machine learning, etc.) to provide greater flexibility and balance security and convenience.
However, the tactics used by hackers are also changing. In addition to leveraging many of these same advancements, they also exploit the fact that today’s users are often overwhelmed by the volume of data they receive, sacrifice security for convenience, or cannot recognize online threats when they see them.
Now more than ever, the transition to a more modern, passwordless security environment must continue. At the same time, efforts should be made to educate the public about the importance of multi-factor authentication and the type of threats it faces today. Ultimately, sophisticated security measures and a well-informed audience are the best way to ensure a secure online experience.