Why COVID-19 makes the case to get rid of passwords

The unfolding crisis of the COVID-19 pandemic and its impact on the global economy are making cybersecurity critical to collective resilience, as millions of workers and businesses across the world become dependent on digital infrastructure en-masse and implement remote working policies at scale. At this time of unprecedented digital dependency, safe and secure access to online services and infrastructure is critical, as we are seeing a rise in cybercriminal activity seeking to exploit this crisis.

The current situation is only accelerating the trend of global economic dependency on the Internet, which continues to be a key strategic global driver for business. Business leaders now say their cybersecurity risks are also increasing, with cyberattacks and data theft among the top 10 risks CEOs are most likely to face in the short term and in the long term, according to the World Economic Forum’s Global Risks Report 2020.

In the first six months of 2019 alone, data breaches exposed 4.1 billion records, often with millions of credentials in a single breach released into the public and dark web. The average cost of a breach is an estimated at $3.92 million, and cybercrime is predicted to cost $6 trillion worldwide annually by 2021. This was before the pandemic hit.

The password and use of stolen and compromised credentials are now one of the single most vulnerable items to tackle if we are to meaningfully reduce online cybercrime. For executives and policy leaders, this is a critical element in helping secure and enabling digital infrastructure, employee and customer safety, and their security risks.

Compromised credentials are responsible for over 80% of all breaches, according to the 2019 Verizon Breach Investigations Report. This is why we are calling for a move to a passwordless future.

Passwords were invented in the 1960s and were never intended to protect bank accounts, healthcare records, emails or a long list of other commandeered usages. They were invented for computer time share, and worked effectively enough for that use case at the time.

The advent of the digital era, however, has presented unintended consequences. Despite attempts in recent years to secure static credentials by adopting methods like two-factor authentication (2FA) which uses SMS, one-time passwords (OTPs) and hardware tokens, the additional layers only serve to shroud an inherently broken mechanism: usernames and passwords.

At its core, “passwordless” means having the ability to accurately verify a user’s identity without the use of usernames, passwords, SMS, OTPs or any typing at all. This would mean the widespread adoption of new technologies, including as bio-metrics, behaviour analytics, and device attributes, that validate an identity without requiring the customer or employee to type in a password. Passwordless authentication vastly improves a company’s security by reducing the overall attack surface and eliminating compromised credential risk.

By 2022, 60% of large and global enterprises, and 90% of midsized enterprises (MSEs) will implement authentication methods and increasingly, organizations understand they need to adopt passwordless strategies. As explained in a recent World Economic Forum report, there are key incentives and drivers for change for a passwordless future:

Better security: When companies transition to passwordless solutions, they considerably reduce their exposure to data breaches. When using passwordless solutions to authenticate, there are no passwords for cybercriminals to steal out of a platform server.

Cost reduction: Cybersecurity has been traditionally perceived as a business cost, so the financial consideration is perhaps the most notable reason why companies should consider transitioning to passwordless authentication. Not only does it lower costs associated with password management and data breaches, but it can also improve revenues through increased productivity and customer ratings.

Digital transformation: A modern authentication system is not merely a necessity from a security perspective; it can be a key digital enabler. It makes mobility much more seamless, reduces user friction, and thereby improves customer and employee experience. It drives operational efficiency and improves regulatory compliance.

Increased usability: In a passwordless infrastructure, users have the option of using their smartphone-as-a-token as a way to authenticate, without having to type anything or store information in a database. As people authenticate to unlock phones with biometrics (FaceID, fingerprint, etc.), this can be extended to login to other systems, products. Users and employees are already well-versed in smartphones functioning as an extension of their identity and this experience.

Enterprise-wide passwordless authentication strategies need to prioritize solutions that can integrate with a broad range of systems and use cases, as well as review the critical areas where an organization relies on passwords. The aim is to remove these credential-based solutions from the more exposed employee and consumer interfaces and into more secure backend systems.

Doing this will allow for scaling and more seamless integration across a wider range of business processes - specifically, adopting authentication that supports widely adopted protocols including Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) that enable integration across multiple systems and establish a standard for exchanging authentication data across the business.

One challenge for businesses lies in knowing precisely where and how to start. There are five key areas for how enterprises can start to think about adopting passwordless technology and solutions:

By going passwordless now, we can change the current dynamics of the security and digital ecosystem. By adopting passwordless logins, we can curb cybercrime and help enable and unlock digital prosperity. That alone should spur action.

In the words of renowned novelist and poet Victor Hugo, “No army can withstand the strength of an idea whose time has come.”