• Cybercriminals are exploiting COVID-19 to launch cyberattacks.
  • Passwords are one of the most vulnerable targets of attacks.
  • Getting rid of passwords can improve security, lower costs and increase usability.

The unfolding crisis of the COVID-19 pandemic and its impact on the global economy are making cybersecurity critical to collective resilience, as millions of workers and businesses across the world become dependent on digital infrastructure en-masse and implement remote working policies at scale. At this time of unprecedented digital dependency, safe and secure access to online services and infrastructure is critical, as we are seeing a rise in cybercriminal activity seeking to exploit this crisis.

The current situation is only accelerating the trend of global economic dependency on the Internet, which continues to be a key strategic global driver for business. Business leaders now say their cybersecurity risks are also increasing, with cyberattacks and data theft among the top 10 risks CEOs are most likely to face in the short term and in the long term, according to the World Economic Forum’s Global Risks Report 2020.

In the first six months of 2019 alone, data breaches exposed 4.1 billion records, often with millions of credentials in a single breach released into the public and dark web. The average cost of a breach is an estimated at $3.92 million, and cybercrime is predicted to cost $6 trillion worldwide annually by 2021. This was before the pandemic hit.

Image: World Economic Forum

The password and use of stolen and compromised credentials are now one of the single most vulnerable items to tackle if we are to meaningfully reduce online cybercrime. For executives and policy leaders, this is a critical element in helping secure and enabling digital infrastructure, employee and customer safety, and their security risks.

Compromised credentials are responsible for over 80% of all breaches, according to the 2019 Verizon Breach Investigations Report. This is why we are calling for a move to a passwordless future.

"A closer examination of major breaches reveals a common theme: In every 'major headline' breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today."

— United States Secretary of Homeland Security, Michael Chertoff

The limits of passwords

Passwords were invented in the 1960s and were never intended to protect bank accounts, healthcare records, emails or a long list of other commandeered usages. They were invented for computer time share, and worked effectively enough for that use case at the time.

The advent of the digital era, however, has presented unintended consequences. Despite attempts in recent years to secure static credentials by adopting methods like two-factor authentication (2FA) which uses SMS, one-time passwords (OTPs) and hardware tokens, the additional layers only serve to shroud an inherently broken mechanism: usernames and passwords.

At its core, “passwordless” means having the ability to accurately verify a user’s identity without the use of usernames, passwords, SMS, OTPs or any typing at all. This would mean the widespread adoption of new technologies, including as bio-metrics, behaviour analytics, and device attributes, that validate an identity without requiring the customer or employee to type in a password. Passwordless authentication vastly improves a company’s security by reducing the overall attack surface and eliminating compromised credential risk.

What is the World Economic Forum doing about the coronavirus outbreak?

Responding to the COVID-19 pandemic requires global cooperation among governments, international organizations and the business community, which is at the centre of the World Economic Forum’s mission as the International Organization for Public-Private Cooperation.

Since its launch on 11 March, the Forum’s COVID Action Platform has brought together 1,667 stakeholders from 1,106 businesses and organizations to mitigate the risk and impact of the unprecedented global health emergency that is COVID-19.

The platform is created with the support of the World Health Organization and is open to all businesses and industry groups, as well as other stakeholders, aiming to integrate and inform joint action.

As an organization, the Forum has a track record of supporting efforts to contain epidemics. In 2017, at our Annual Meeting, the Coalition for Epidemic Preparedness Innovations (CEPI) was launched – bringing together experts from government, business, health, academia and civil society to accelerate the development of vaccines. CEPI is currently supporting the race to develop a vaccine against this strand of the coronavirus.

The benefits of a passwordless future

By 2022, 60% of large and global enterprises, and 90% of midsized enterprises (MSEs) will implement authentication methods and increasingly, organizations understand they need to adopt passwordless strategies. As explained in a recent World Economic Forum report, there are key incentives and drivers for change for a passwordless future:

Better security: When companies transition to passwordless solutions, they considerably reduce their exposure to data breaches. When using passwordless solutions to authenticate, there are no passwords for cybercriminals to steal out of a platform server.

Cost reduction: Cybersecurity has been traditionally perceived as a business cost, so the financial consideration is perhaps the most notable reason why companies should consider transitioning to passwordless authentication. Not only does it lower costs associated with password management and data breaches, but it can also improve revenues through increased productivity and customer ratings.

Digital transformation: A modern authentication system is not merely a necessity from a security perspective; it can be a key digital enabler. It makes mobility much more seamless, reduces user friction, and thereby improves customer and employee experience. It drives operational efficiency and improves regulatory compliance.

Increased usability: In a passwordless infrastructure, users have the option of using their smartphone-as-a-token as a way to authenticate, without having to type anything or store information in a database. As people authenticate to unlock phones with biometrics (FaceID, fingerprint, etc.), this can be extended to login to other systems, products. Users and employees are already well-versed in smartphones functioning as an extension of their identity and this experience.

Image: World Economic Forum

5 areas to enact change

Enterprise-wide passwordless authentication strategies need to prioritize solutions that can integrate with a broad range of systems and use cases, as well as review the critical areas where an organization relies on passwords. The aim is to remove these credential-based solutions from the more exposed employee and consumer interfaces and into more secure backend systems.

Doing this will allow for scaling and more seamless integration across a wider range of business processes - specifically, adopting authentication that supports widely adopted protocols including Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) that enable integration across multiple systems and establish a standard for exchanging authentication data across the business.

One challenge for businesses lies in knowing precisely where and how to start. There are five key areas for how enterprises can start to think about adopting passwordless technology and solutions:

  • VPN / remote access: As the remote workforce continues to expand at a rapid pace, removing static credentials from the equation reduces the risk.
  • Contact and information technology: Companies experience 30% to 50% of all contact with these services in relation to password resets and account lockouts.
  • Remote desktop and virtual desktop infrastructure (VDI): This can ensure the broadest coverage by starting at a foundational level.
  • Customer identity and access management: This deployment rollout could have the potential to provide umbrella coverage into the most critical business functions of a business.
  • Critical applications: That will streamline productivity and collaboration while enhancing security.

By going passwordless now, we can change the current dynamics of the security and digital ecosystem. By adopting passwordless logins, we can curb cybercrime and help enable and unlock digital prosperity. That alone should spur action.

In the words of renowned novelist and poet Victor Hugo, “No army can withstand the strength of an idea whose time has come.”