Passwordless? Imagining the Future of Authentication

The average employee in the workplace has 191 passwords. Will we ever rid ourselves of them and, if so, how? Gerald Beuchelt, the Chief Information Security Officer at LogMeIn talks about how changes in authentication may deliver a passwordless future.

The concept of “passwordless” has gained significant traction in the last 6-12 months and it’s sparked the question, can we ever really rid ourselves of passwords? If so, how and what is the role of authentication in that process and how does that impact a company’s best practices?

Passwords haven’t changed. We have to. 

Passwords have been a reality of daily life since many can remember. They date back to the first computers which required a username and password to gain access, just as they do now. At the time of that first computer, this was probably a decent system as individuals only had one or two logins, meaning they could rely on memory for those passwords. 

Podcast Episode 135: The Future of Passwords with Google Account Security Chief Guemmy Kim

Gerald Beuchelt
Gerald Beuchelt is the Chief Information Security Officer at LogMeIn.

That is not true anymore. We know that the average employee in the workplace has 191 passwords – which is beyond human capability to remember every one, never mind if each one of those was complex and unique. Unfortunately, we know most people aren’t creating 191 unique passwords. Rather they’re using the same password across multiple accounts, which is risky behavior, seeing how 80% of breaches are the result of weak, reused or compromised password.

As the number of passwords and risk of cyber attacks increased over the years, we’ve learned that memory (or even a notepad) is not a sufficient or secure means for keeping track of our login credentials. It’s a challenge to rid a person of every password, but it’s certainly not impossible. One way to approach this is not to eliminate passwords completely, but instead change the way that we interact with them.

Episode 103: On the Voice-Controlled Internet, How Will We Authenticate?

One way to change how we interact with the system is by using single sign-on (SSO) technology. With single sign-on, we can provide simplified access to applications that end-users interact with every day, such as HR systems or expense reports. Leveraging this technology allows employees to reduce the number of passwords that they must remember or update. Another method is to use password management technology. With a password manager, we can minimize the need for users to remember passwords that fall outside of work-wide single sign-on applications, such as blog sites or personal banking logins. Using single sign-on or password management – or better, both tools together — to help users keep their passwords secure is best practice for a strong security posture. 

Introduce simple authentication

When it comes to cybersecurity, you’re only as secure as your weakest link. Most of the time, this weakest link is an end-user who may not fully understand the importance of security and will, therefore, not consider security a primary motivator to adopt a new solution. These are the users that will use ‘Monkey123’ as their passwords for all websites and applications.  

Podcast Episode 140: passwords are dying. What will replace them?

The way to bolster security in the midst of these weak links is through authentication solutions. This can be seen as an obstacle, something that adds more frustration for end users, by some. In order for authentication solutions to be adopted and therefore effective, the solution must be so simple for the end user that they have minimal barriers to adoption. In fact, the end-user should experience an added benefit of convenience through minimizing passwords resets, streamlining authentication, and decreasing the number of apps they need to sign into.   

By prioritizing the end-user experience, businesses can increase their odds that their end-users will adopt the technology correctly – thus minimizing the risk of end-users being the weakest links.  

The importance of privacy in authentication

Employing Multifactor Authentication severely decreases the risk that a company will be successfully hacked, as it considers a multitude of factors (such as location, facial ID, IP address) verses only one (such as a password) prior to granting access to an application. 

However, transparency as to where authentication data is stored for multifactor authentication is also necessary. This is particularly and especially true with biometric factors (such as facial recognition or touch ID). For example, consider facial recognition technology being used at security gates in airports. You scan your face or fingerprint, but where are they storing this data that they’re comparing to and is it in one centralized location? If so, not only is that data outside of the individual’s control, but it could be at risk if the airport does not protect it correctly. This highlights the need to respect and protect a user’s digital identity through decentralization capabilities. 

Businesses looking to integrate biometrics, whether as a replacement to passwords or to complement them, should consider solutions where the biometric data is stored on the user’s device as opposed to a centralized repository. This respects the user’s privacy while providing one of the highest levels of protection.