By Rob Jenks, Senior Vice President of Corporate Strategy, Tanium
Many computer users dream of a day when the industry can move past its reliance on passwords to reach a more serene future of frictionless cybersecurity. But most IT and security professionals will tell you that day is still a long way off. The fact is, countless remaining devices and systems are aging relics that have been based on password security for decades. There can be no turning back time for such legacy systems – as long as they are in use, we will depend on passwords, at least to some extent.
For most organizations that means they are stuck in the password filled present, but that doesn’t mean there isn’t a passwordless future. Before we can get to that future however, we need to make sure we are protecting ourselves on the journey there.
The issue with passwords
Passwords usually aggravate users due to all the associated friction. Nobody likes memorizing long strands of letters, numerals, and symbols to conduct the simplest business, but weak passwords tend to reward bad actors, which is of course the underlying problem. The goal of passwordless is about reducing the amount of friction to make authentication and authorization simpler for users. So, in essence, we should think of “passwordless” as being “frictionless,” based on simplifying the login process for users.
The trouble is, the safest passwords are typically the hardest to remember, so there is a high amount of friction. But in a world where hackers launch an average of 50 million attacks on passwords every day, which equates to 579 strikes per second, according to Microsoft, safety should override convenience, but that often isn’t the case. In fact, Verizon found that 60% of data breaches are now attributed to compromised credentials. Hackers often prey on a user’s natural proclivity for convenience when people re-use the same ID and password combination for multiple sites. Once those passwords and IDs appear on the dark web, they can be used for a range of different logins.
Surviving in the present
In the short term, we need to bridge the gap between the needs for a strong, complex password – with the reduction of friction for employees. Nearly half of all Americans (41%) still rely on memory to recall their passwords, meaning that they often adopt simple or repeatable words that are easy to remember. There is an easy solution which both reduces friction and improves security: password managers. Organizations taking security seriously can offer employees a subscription to a password manager which eliminates the need for employees to remember complex passwords while still providing sufficiently robust credentials. Additionally, organizations should consider using tools which regularly check if passwords are compromised, further ensuring the strength of the passwords used.
Passwords aren’t enough on their own however, and need to be bolstered by some of the “passwordless” security protocols that we have been using for years. Multifactor authentication (MFA) is an age-old concept that relies on something you have (a device or application) plus something you know (a captcha or existing account) to prove your unique identity and authorize your access. Two-factor authentication (2FA) was the first widespread adoption of this method, in which exactly two authentication factors were required, but with the threats becoming more sophisticated the industry has been shifting towards requiring more than two factors to better safeguard against attack like credential stuffing. These help make the organizations more secure, but also add friction which a passwordless future promises to eliminate.
The road to forgetting our passwords forever
We have seen many of the biggest tech companies like Apple, Google, and Microsoft lead the charge into a passwordless future with the use of biometric recognition or facial recognition. These approaches can be an effective alternative to passwords as it is much harder to fake someone’s fingerprints or face than to guess their password, but it still doesn’t solve the problem of all the legacy systems that will be in use for years to come.
The only real path forward is organizations committing to updating legacy systems and technologies. As the organization’s technology advances and becomes more cloud based, authentication can change along with it. The process is slow, but if it is done intentionally, organizations can reduce the number of things passwords are needed for, then the number of people who need to use passwords, before finally eliminating them all together.
The passwordless future feels close because we have the technology to do it, but progress will be slow as applications are migrated to adopt passwordless authentication. So, while there is no way my password manager will be empty by next year, or even the year after that – by 2030? That’s possible.
About the Author
As senior vice president of corporate strategy, Rob Jenks leads Tanium’s business development and ecosystem efforts. Rob is focused on advancing business-critical relationships across technology alliances and channel partners, driving new ways Tanium’s real-time, accurate data can be leveraged, and identifying new market opportunities.
Prior to joining Tanium, Rob served as vice president of strategy and alliances at C3.ai, where he helped the company determine its strategy, product, partner, and pricing approach in service of delivering business value to its customers. Before C3.ai, Rob led the Low Carbon Economics service line at McKinsey & Company, an innovative software-enabled capability within the energy practice. Rob advised clients across a range of industries on strategy and operations related to technology and the clean-energy transition. He has also served on advisory boards for early-stage fintech and edtech software startups.
Rob received a Ph.D. in Physics from Harvard University, an M.Phil. in the History of Science from Cambridge University, and a BA in Physics from Williams College.