You might feel as though we keep banging the drum on passwords and going passwordless. You’d be right, but it’s for a good reason.
After all, research has shown that 71% of hacks today aren’t really hacks, but cybercriminals logging in with valid user credentials they’ve obtained elsewhere, such as the dark web. In fact, estimates show that more than 15 billion stolen account credentials are up for grabs on cybercrime forums, with 5 billion of them considered unique, meaning that they haven’t been offered for sale more than once.
Although not the sole reason, the persistence of the traditional password and username approach is the reason why the total number of records compromised increased by 141%, despite publicly reported breach events decreasing by 48%.
So, why are we still using passwords, why haven’t we made the leap to passwordless and what does the next year hold for us?
The password problem
Despite huge advances in technology and cybersecurity, passwords continue to live on. We all know the problems with them: they offer a poor user experience and are easy to hack.
Yet, probably the most concerning thing is that password habits amongst internet users are getting worse; password reuse is still rife, while people still too often opt for easy-to-crack passwords. According to NordPass’s 200 most common passwords of the year for 2020, tons of people still use “123456” as a password. This isn’t even half of the story: plenty of other especially insecure passwords continue to be widely used, including the veteran “password” and the ever so slightly more imaginative “qwerty”.
Although the password problem is ubiquitous, we’ve mentioned in previous blogs how this is seemingly a larger problem amongst younger generations. Our research has shown that younger generations have significantly riskier password habits than their parents, with 24% of those aged between 24 and 38 (Millennials) using the same password for all their accounts, compared to just 2% of baby boomers.
Towards better password security
For many, introducing a multi-factor (MFA) biometric check for authentication can help eliminate the vast majority of common attacks like credential stuffing and phishing. Credentials can’t be lost, stolen or shared when they are your own face and voice patterns – the legitimate user must actually be present to log-in.
This is precisely the technology and philosophy that sits behind Nomidio. Rather than asking users to remember a password we store their biometric identifiers, a voice and face print, so we can authenticate against those across any device they’re logging in from. We combine the biometric check with additional ‘silent’ factors that increase security still further. So from a user’s perspective all they need to do is speak and present their face and they’re in. It also means that any organisation, large or small, can implement Nomidio for passwordless biometric authentication quickly and simply by consuming our service from AWS or Microsoft Azure.
Why haven’t we opted for two-factor authentication (2FA)? It’s simple: with Nomidio, the authentication happens in the cloud rather than locally on a device, meaning the user can move between their laptop, phone or a third-party device and still log-on using their voice and face, from anywhere. With 2FA, your identity is tied to a device, which is limiting if, for example, you lose said device or it runs out of battery.
A year of change?
Although the humble username and password continue to endure, we are optimistic for the year ahead, particularly for biometric MFA. You only have to look at the last 12 months to see why.
Over 150 million people are now using Microsoft passwordless systems each month, while 84.7% of people opted for Windows Hello to sign into Windows 10 PCs instead of a password, up from 69.4% in 2019. We now are seeing some of the world’s biggest and renowned tech companies adopting, deploying and investing in passwordless technologies.
This is being compounded by a global shift to hybrid and remote working. Many organisations are going through a process of rethinking and reassessing how they enable employees and other users to access sensitive networks and information, irrespective of their location, network or device, while still maintaining the highest grades of security. The significant uptick in people using passwordless technologies is a clear sign that they are acknowledging the security risks associated with passwords, particularly in a more decentralized workforce, and viewing passwordless authentication as the remedy.
Coupling these three factors against the backdrop of a huge rise in cyberattacks that seem to involve the misuse of passwords, we hope we finally see significantly more people recognise why we should all be going passwordless this year.