It’s happening before our eyes. Cybercrime is spiraling out of control, and companies are failing to keep up. Cybercriminals are now exploiting passwords and penetrating every company in the world. If you are still relying on passwords to keep your data safe, your security is in extreme jeopardy.
The truth is passwords are no longer effective. In 1961, someone first created the philosophy of using a combination of a unique username and password for security. It was a great idea…at the time.
The problem is that technology has advanced significantly since then. However, even after 60 years, we are still facing difficulties in implementing that brilliant idea. And the fallout results in data breaches.
Time to evolve. Fortunately, passwords are no longer the only way to verify credentials or authenticity. The future is passwordless authentication.
How can companies start moving past passwords?
To implement passwordless technology, the first step must be setting up multi-factor authentication. This method adds extra security to make it harder for hackers to crack a password. The multifactor variables your employees can use to access a device include a combination of:
Something you know (i.e., password or a pin code)
Something you are (i.e., a fingerprint or facial recognition)
Something you have (i.e., an RSA token or a device with a certificate)
That means it takes many months from the time the hack occurs to the time someone detects it! That’s a tremendous amount of time for a cybercriminal to gather data. Once in, they will likely move laterally inside your environment, watching and waiting.
The second step should be getting biometric-enabled devices. Biometric-enabled devices use human characteristics like fingerprints and facial recognition to verify identity and grant access for users to log in to their devices. Using biometrics helps us catch fake logins and stop unauthorized access to our networks while simultaneously improving user experience.
Windows “Hello” matches your face to log you into your computer, making it a great example of an effective application. If your company’s identity is based on Azure Active Directory, through extension, your employees should be able to access all their apps on the device without a password.
The flaws of password management
It’s shocking how many companies are still asking their employees to manage their own passwords. Honestly, it’s quite irresponsible.
Non-IT workers often don’t realize how vulnerable they are. They feel comfortable storing their passwords in their phone notes, spreadsheets, or personal journals. If you don’t use MFA, authenticator app, or security keys, your employees’ passwords will probably be hacked eventually.
Of course, setting up multi-factor authentication can be quite a journey for some companies. As an interim solution, you should be looking for a robust tool to manage your passwords. A password vault, for instance, can function as a decent band-aid while your group moves towards a more sustainable and secure solution.
If you decide to take this route, make sure employees create a very strong password to access the password manager. Also, make the plea to your employees that they use different credentials on their work devices or work apps as they do on their personal, unmanaged devices. Using the same passwords for work and personal use puts your data at risk of cyberattacks.
The future of passwordless authentication
It’s a bit frustrating that we currently don’t have more unique personal authentication solutions. There have been some clever applications conceptually developed in recent years that, if available, would add additional layers of protection to company data.
I’m interested in seeing authentication solutions that use our unique behaviors and patterns to become a reality. Monitoring actions like the way I hold my phone, e.g the precise angle, tilt, degree of vibration and micro-location could create a profile that defines whether the user is actually me, or an imposter.
Other solutions could identify usage habits and personal patterns to secure devices based on the environment. Suppose your device secured itself when it noticed you were outside of your normal work environment or exhibiting habits that are not indicative of your normal activity.
Now suppose it worked seamlessly, without requiring a password when you were exhibiting your specific unique pattern. You’d have a secure, frictionless experience that would be sustainable for the foreseeable future. I am hopeful that we will see an explosion in solutions that make authentication hyper-personal and uber-secure in the years to come.
Denis founded Mobile Mentor in 2004 with a clear purpose – to empower people to achieve more with their technology. The technology is always changing but Denis’ purpose is the same and today most of Denis’s energy is helping clients to navigate the balance between security and employee experience.
Denis is really passionate about solutions that make an impact in healthcare, education and government. Since 2017, Denis has lived in the US, working with both public and private healthcare providers.