The Password Is Dying. It’s Time for A DNR.

By Lucas Budman, CEO, TruU

As old years end and new ones begin, it’s natural to look ahead at the promise and possibility that lie in front of us. What’s new? What’s near? What’s next?

But in cybersecurity, we already know what to expect in 2022: more breaches. Why? Because loss or theft from data leaks has grown substantially year-over-year for so many consecutive years now we’d be fooling ourselves to think 2022 will be any different. Even with evolving new threats and the growth of nation-state actors in the ransomware business, we want to believe our current lines of defense will hold.

The briefest history shows us the folly in our thinking. We’re not safe. Our defenses will not hold. Period. And the biggest gap in our defense is…us. You. Me. People. Our cyber hygiene and habits are not what they need to be to truly protect sensitive data and information, and for the most part, the technologies we use come with too much friction. The user experience is so poor that we spend as much (or more) time circumventing onerous technology and security controls than we do in building the habits and behaviors that would reduce overall risk in our organizations.

Compromised credentials and poor access controls—both of which involve usernames and passwords—are the reason some 15 billion identity records circulate across the dark web today. The problem has become so critical that last year’s OWASP top 10 named “Broken Access Control” as the number-one risk. To reverse this trend – and literally save us from ourselves, from our lax behaviors and ineffective controls – we must look to technologies that reduce or eliminate human error by design.

Organizations the world over have woken up to the fact that compromised credentials—at the root of more than 80% of all breaches-–are their biggest threat. In other words, awareness of the problem has finally caught up with what the data have demonstrated for years, and we now recognize that addressing a few key access points with passwordless options or biometric solutions doesn’t go far enough to address the root cause.

2022 is the year to go passwordless. 

Because passwords are easy to discover and exploit–and because they’re plentiful—if organizations don’t embrace the passwordless trend, bad actors will continue logging in with stolen passwords and companies will continue to suffer breaches.

2022 is also the year to stop pretending that existing two-factor (2FA) and multifactor (MFA) authentication tools will deliver anything more than marginal improvements to a poor security posture. The massive levels of user friction and workflow interruption alone are good reasons to stop investing in 2/MFA because they hinder widespread adoption and use of the technology; the fact that such solutions also do nothing to curtail phishing attacks, ransomware, credential stuffing, man-in-the-middle, SIM swaps, push bombing, and other popular attack vectors mean organizations cannot depend on them to secure the devices and work products of remote and hybrid workers.

We’re seeing more and more business leaders starting to prioritize budgets and fast-track proof-of-concept (POC) engagements to find passwordless solutions that will work across the enterprise at every access point.  Successful deployments will reduce IT complexity, streamline use-case support, and offer a seamless user experience–one that enables people to log in easily and securely from anywhere in the world without using vulnerable passwords.

Advanced passwordless solutions are embedded in continuous authentication models that remove the zero-sum trade-off between better security and a better user experience by allowing users to authenticate into workstations, physical doors, and other sensing assets simply by being close to them; they also deploy AI/ML to approximate distance from sensing objects without requiring pairing or further interactions to work. They use behavior pattern analysis to authenticate intended users and remove access from unintended users. Importantly, they also empower enterprises to consolidate solutions, remove complexity, reduce costs, and deliver better security outcomes while supporting robust administration tools and workflow-based execution to mitigate complicated security and access requirements.

Beyond usability and security, organizations are embracing the maxim that continuous authentication solutions must also be more than just a biometric alternative to passwords—and they must respect user privacy too. Users should have complete control over and visibility into the data that are collected and how such data are used. Modeling should be done in a privacy-preserving manner with clear, defined outcomes, while AI/ML models should be used strictly to facilitate user authentication—not for data collection or monitoring.

As 2022 progresses, we expect to see the removal of threats from compromised credentials to snowball as more and more enterprises decrease unnecessary spend on IAM tools underpinned with some sort of password requirement and spur investment in innovative and robust passwordless technologies that can protect across the enterprise while delivering a frictionless experience for employees. Organizations that prioritize passwordless deployments will foster more effective risk-reduction strategies, improve cyber resilience, lower costs, and remove user strife from the equation. It’s time to act.

About the Author

Lucas Budman is the CEO of TruU.  He was formerly the CTO of the Advanced Solutions Group at CenturyLink, a Fortune 500 global technology company. CenturyLink acquired his previous company Cognilytics, a machine learning platform company focused on financial risk and cybersecurity, where he was a founding member and CTO. Prior to CenturyLink’s acquisition, Lucas was founding member and CTO of MyCollege Foundation, a Bill and Melinda Gates funded non-profit whose mission is to provide higher education pathways to low-income young adults.

Lucas holds an M.S. in Finance, a B.S. in Computer Science, and an unfinished postgraduate degree in Computer Science – all from the University of Colorado. In his spare time, he is an avid skier, former racer and enjoys road cycling.

Lucas can be reached online at https://www.linkedin.com/in/lbudman/ and at our company website https://truu.ai/