Although analysts have predicted the death of passwords for many years, passwords are still the predominant authentication credential used for many applications and IT systems. The reason for this is simple — everyone knows how passwords work, which makes them more convenient to use.
As a result, 80% of all company data breaches and hacking incidents result from stolen or compromised passwords. It’s not hard to see why. The average user has more than 90 online accounts — almost all requiring a password that more than half of those same users reuse. And with a record 1,862 data breaches in 2021 at an average cost of $4.24 million per breach, it’s no wonder that more than 555 million passwords are available on the Dark Web.
Passwords are proliferating across our digital world and getting stolen in record numbers every year, but it doesn’t have to be this way.
The Twin Dilemma of Security vs. Convenience
Enterprises can address this problem today. In fact, many are already enhancing existing passwords with a second factor — for example, sending an out-of-band code via SMS or email. The technology exists for even stronger login credentials, but these often significantly impact the user experience, which hurts adoption with internal users (employees) or retention with external users (consumers).
Organizations are faced with a complex balancing act: They need to improve their authentication process so that login credentials provide the needed security while being easy to use. But those credentials also have to be difficult for hackers to steal or compromise. Oh, and let’s not forget that this enhanced authentication mechanism must be cost effective, too.
Over the years, many types of login credentials emerged that were effective in one or two areas but fell short in the others. But, there is hope.
Size and Scope
The size and scope of the problem must also be taken into consideration. For large enterprises, these challenges are multiplied because of the sheer number of applications running across their hybrid environments, from the cloud to the mainframe. You hear a lot about the cloud, but how often do you hear someone mention the mainframe? Did you know that mainframes handle 90% of all credit card transactions, or that mainframes handle 68% of world’s production IT workloads? For many of our strategic customers, the mainframe is more mission critical than anything running in the cloud.
A truly effective identity security solution needs to cover all aspects of an organization’s infrastructure — everything from the mainframe to distributed servers, from virtualized to multicloud environments, managing access across business applications, privileged accounts, and everything in between.
The Convergence of Technology and Standards
The missing link in efforts to improve this identity security challenge is a failure to recognize that replacing the password is not as easy as people think. But there are several trends that may help accelerate the death of the password once and for all.
The first is the smartphone. According to Ericsson, the number of smartphone users in the world today is about 6.6 billion, which translates to almost 84% of the world’s population. These devices are not only ubiquitous but are also responsible for teaching users how to use their fingerprint to unlock their devices and take a selfie. Biometrics is not an abstract concept anymore — it is becoming familiar even to people who struggle to use a computer.
The second trend is one of standardization, specifically the growing support for FIDO or Open ID Connect. These new security standards help facilitate the exchange of identity and authentication information between an identity provider and an application. These standards eliminate the need for passwords and replace them with passwordless techniques, such as biometrics (a single finger swipe on your phone). However, there are many mainframe and web applications that were never designed with support for these standards and therefore cannot leverage passwordless authentication — that is, not without major redesign or a little help.
For newer or smaller enterprises, it may be relatively easy to modify applications to be compatible with FIDO or OpenID Connect. However, for larger enterprises this problem is significant because the bulk of their mission-critical apps may need to be modified, and this may not be financially feasible. As a result, while newer applications are built with passwordless authentication mechanisms, they are addressing only a subset of enterprise applications, networks, and environments.
An effective security system needs to cover all an organization’s digital assets. If not, the bad guys will always find the weakest link. Only through a holistic approach can enterprises solve the biggest pain points in identity security by replacing the need for passwords with a single passwordless sign-on procedure for everything in our digital world.