Let’s face it, passwords are broken. We all know how frustrating it is to have to reset a password only to realise you have to find yet another combination of your mother’s maiden name and a family pet. But we are rapidly approaching a situation where passwords are not only stressful for users but ultimately unfit for purpose.
Consider this: when most people imagine what it looks like when an account gets hacked, they picture a shadowy figure behind a screen full of complicated code. Yet this couldn’t be any further from the truth. According to Verizon’s latest breach report, 71% of hacks today aren’t really hacks but bad actors simply logging-in with valid user credentials they’ve obtained elsewhere.
There’s the rub for the cyber security world. It doesn’t matter how well we secure the pipes with strong encryption or how effective a Security Operations Centre is, if someone can easily obtain credentials and log-in ‘legitimately’ our best efforts have gone to waste.
The rise of credential stuffing attacks, where hackers apply stolen credentials to other accounts in order to access even more sensitive personal data, has led many observers to question how we should protect our digital accounts to ensure their security. Meanwhile, younger generations appear to be losing faith in the security of password protection altogether.
Password hygiene ignored
The biggest problem with passwords used to be the amount of people who simply used ‘password’.
But according to Nomidio’s latest research, we have a much bigger issue: passwords are just not being taken seriously anymore. You might think that younger generations, brought up in a digital world, would apply best practice across their password protected accounts. But a toxic combination of poor user experience and an eroding trust in organisations to keep data safe is leading many to lead riskier digital lives.
We found that younger generations have significantly worse password habits than their parents, with 24% of those aged between 24 and 38 (Millennials) using the same password for all their accounts, compared to just 2% of baby boomers.
With 14% of younger generations reporting they have never changed their password it’s easy to see how the bad guys can use credentials stolen from one place to log-in somewhere else. Perhaps worse still, it is now common for young people (62%) to voluntarily share credentials for services like Netflix with friends and family.
The purpose of this research isn’t to bash the young but rather to highlight that the way we ask people to authenticate today is too cumbersome for users and is in fact the root cause of the booming identity theft industry. It is telling that analysts from Gartner said in a recent report “Data breaches of personally identifiable information (PII) are rendering checking of static identity data (usernames and passwords) obsolete”.
Multi Factor biometrics to the rescue
Over the last few years, the response to the fading protection that passwords afford us has been to add more layers to the process. For example, a one-time passcode sent to a user’s mobile phone or email can make life much harder for hackers.
But this makes a poor experience even worse, and does it really make sense for someone’s identity to be tied to their device? What happens if you’re trying to log-in to a work application to make a deadline while you’re out on the road and your phone runs out of battery? Or you use an authenticator app and then you lose your phone? Perhaps this is why just 25% of respondents to our survey said they regularly enable Two Factor Authentication (2FA) when it’s an option.
At Nomidio we think a multi-factor authentication approach based on biometrics has the potential to deliver a step-change in security and user experience.
Rather than asking users to remember a password, biometric identifiers such as a voice and face print can be stored so we can authenticate the user on any device they’re logging in from. We combine the biometric check with additional ‘silent’ factors, so that from a user’s perspective all they need to do is present their face to log in.
It has been apparent that biometrics hold the answer to more secure authentication for a number of years, yet it’s been too costly and complex to deploy the technology. Recently the economics have improved and with cloud-based SaaS deployments the complexity has reduced, we believe we’re a great example.
Any organisation, large or small, can implement Nomidio for passwordless biometric authentication quickly and simply by consuming our service from AWS. That’s why we started the company, to dramatically lower the barriers to entry and make biometric authentication available for all.