A recent study showed that the top factor limiting adoption of alternatives to passwords was the issue of convenience.
When the majority of your users are accustomed to entering a username and password, attempting to add another factor or move to another method for logging in can be a wildly unpopular move. Even knowing that passwords are the weakest authentication method, most users would prefer to stick with them rather than learn a new system.
If users were selecting good passwords that were based on phrases, included a variety of characters and numbers, and followed best practices like having a different password for each login, passwords wouldn’t be so bad. Unfortunately, in 2020 the most popular passwords used were still things like “123456”, “password”, and “picture1”.
So how can you improve password security while also keeping the login flow as convenient as possible for your end users?
Take Passwords Out of The Login Process
There’s been a significant push in recent years for moving to passwordless environments, particularly from large enterprises such as Microsoft. Not using passwords at all eliminates the risk of them being shared or stolen, and drastically improves your organization’s security that way.
Passwordless authentication generally means simply that passwords are not involved in the authentication process. When trying to gain access to a system, you prove that you are who you claim to be through another method, such as with your mobile phone. When you request access, the system would send you a text (SMS-based) or a push notification, one time password, or similar.
While these other forms of authentication are an improvement over usernames and passwords alone, they still pose problems. Relying on your phone as a verification method effectively equates your identity to that of your phone – which can be catastrophic if your phone is stolen, lost, or hacked.
Using a physical key or token is also a passwordless method of authentication, but relies on remembering your key at all times, and ensuring it is not stolen. The physical element of these tokens makes them less vulnerable to phishing or digital credential theft, but they are still prone to the mundane risks of being forgotten or lost. Using a physical key or token is also not necessarily less friction than a username or password – imagine plugging in a token to your computer each time you need to open a file! For convenience, chances are, users will often simply end up leaving their tokens in, on, or near their work stations, opening those machines up to risk again.
Biometrics as the Convenient Choice
Using biometrics to authenticate is more secure than other verification methods, as well as more convenient.
You never have to worry about forgetting your ID, password, or mobile device. The accuracy of the user being authenticated is also significantly higher through the use of biometrics than with a simple username/password. While in theory, someone can create deepfake videos to spoof facial recognition technology, or fake fingertips with your fingerprints duplicated, it is far, far less likely than a cybercriminal looking for the easiest target.
The easy targets are those companies still relying on usernames and passwords. With a fraction of the effort needed to spoof your face, voice, or palm print, a criminal can instead phish credentials from your workforce. Clever and well-executed spear phishing campaigns can be even more effective at stealing high value credentials from your C-suite.
Those types of credential theft attacks are ineffective or entirely useless when faced with biometric authentication and identity proofing.
Additionally, the convenience is on par or better than inputting username/password, particularly if the password is a complex and secure one. While password managers can help in this regard, a palm scan, voice command, or face scan are all nearly as quick as copy and pasting from the password database. Users accustomed to unlocking their iPhones with FaceID, or computers with Windows Hello, are already used to using biometrics as a method to access systems.
Set up time to discuss how biometric identity proofing and authentication could work in your environment by emailing us at firstname.lastname@example.org.