No one is happy about the prospect of clearing their cookies to resolve an IT problem. That’s because this process means they will lose their automatic sign in to all the websites and applications across the web, and who can remember all those different passwords?
You did make all those passwords different from each other, right?
On World Password Day on May 5, security experts and tech companies took the opportunity to update the industry on initiatives they are taking to create a future that secures us without the need for passwords. It can’t come soon enough.
The Trouble with Passwords
Reused passwords have been the leading vector in cyberattacks over the last few years, according to the 2022 SpyCloud Annual Identity Exposure Report. The report also notes a 64% password reuse rate for users with more than one password in the last year.
But how do you remember all those passwords? NordPass research for 2021 shows the most popular password for that year was “123456” and the fifth most popular password was “password”.
It’s clear that something is broken in the world of passwords, and it has been for a long time. And while multi-factor authentication has provided an extra layer of security for organizations, it is also a speed bump for productivity, making workers stop what they are doing to type in a code or provide a fingerprint. The more inconvenient the security measures are, the more likely users will search for a way to get around them. For instance, users reuse passwords.
The Move to Dump Passwords
“Eliminating passwords altogether once sounded like a bold idea,” says Greg Stuecklin, VP and GM of North America at WSO2, which makes an identity server, among other solutions. “That’s no longer the case, especially when you consider Verizon’s 2021 Data Breach Investigations Report. It observed that vulnerabilities with credentials, like a username and password, accounted for over 84% of all data breaches.”
Stuecklin says that there are easier and more effective ways to authenticate users including log-in alternatives like the Fast ID Online 2.0 (FIDO2) standard or biometrics, security keys, and plug-in authenticators.
Mark Ruchie, CISO at Entrust, a digital security and data protection company, says that mobile push tokens, certificate-based credentials, and different forms of biometrics can create a more seamless employee experience and a simpler, stronger, security infrastructure with a smaller attack surface for a wide range of threats.
“With cyberattacks becoming more sophisticated and new tech talent fewer and far between, businesses are realizing that passwords not only create headaches for IT departments, but for employees as well. They are the bane of every CISO’s life,” Ruchie says.
Apple, Google, Microsoft Expand FIDO Support
In honor of World Password Day, a trio of tech giants this week pledged expanded support for FIDO. Apple, Google, and Microsoft made the announcement to accelerate availability of passwordless sign-ins, according to a statement issued by the FIDO Alliance. These three tech giants already support the Alliance’s standards, but this week’s announcement adds two new capabilities -- allowing users to automatically access their FIDO sign-in credentials or “passkeys” on devices without having to re-enroll every account and enabling users to use FIDO authentication on their mobile devices to sign into an app or website on a nearby device, regardless of the OS platform or browser they are using. The new capabilities will become available across Apple, Google, and Microsoft platforms over the course of the coming year.
Google PM director of secure authentication Sampath Srinivas said in a Google blog post that the company will implement passwordless support for FIDO sign-in standards in Android and Chrome.
In its Microsoft Tech Community site, Alex Simons, VP of product management for the Identity and Network Access Division, wrote that the company is introducing several new capabilities including passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. These features are currently in preview with Windows 11 insiders, according to Simons.
Windows Hello for Business Cloud Trust is a new deployment model that can remove the previous requirements for public key infrastructure and syncing public keys between Azure Active Directory and on-premises domain controllers. Microsoft Authenticator will now allow multiple accounts instead of just one, starting later this month on iOS devices and Android will come after that. In addition, Microsoft will add a Temporary Access Pass in Azure AD starting next month. This is a time-limited passcode that lets organizations use a Temporary Access Pass to set up new Windows devices instead of a using a password to do it.
These advances should mark a welcome change for users in both the enterprise and in the consumer realm who are frustrated at trying to remember multiple passwords.
“On World Password Day, let’s make a pledge to free consumers from passwords and instead give them advanced alternatives that make it easier than ever to protect their data and yours,” Stuecklin says.