Why organizations should pivot away from passwords

A padlock against a black computer screen symbolizing security
(Image credit: Pixabay)

Conversations around the ineffectiveness of passwords are ongoing – both technology organizations and consumers understand the flaws in this method of authentication, especially as we are constantly reminded to change our passwords every six months, use special characters, and make sure we’re not using our date of birth as a pin code.

About the author

Amir Nooriala is CCO at Callsign.

However, even though businesses are aware of these vulnerabilities, they are not enabling change. Instead, they still have legacy security strategies in place that are unfit for the digital age and leave consumers susceptible to scams.

In fact, the UK’s leading consumer organization Which? recently released research which highlights that UK banks allow users to set passwords such as ‘admin’ and ‘123456’. While banks may be mitigating that risk with two factor authentication (2FA), both 2FA and passwords are inherently flawed in providing effective security, and organizations need to pivot their cybersecurity strategies away from this outdated verification technique.

We’re still using analogue technology in a digital world

When the internet was initially envisaged, it is likely that we couldn’t imagine the explosion of scams and cybercrime that we’re now experiencing. This means there is a disconnect between the methods put in place to protect us and the technology we need to fight existing cyber crime.

The reality is that passwords simply weren’t designed for the digital age. Passwords are a single point of failure and allow cyber attackers to easily penetrate both accounts and wider systems. They also don’t provide any information on the actual identity of the user, so the opportunity to foster digital trust between organizations and consumers is lost.

Relying on the digitized versions of outdated processes such as the use of usernames and passwords are fueling the rise in scams and fraud by creating opportunities ripe for cyber-attackers.

But not all hope is lost as we are seeing an increasing shift towards building technologies with a security-first approach from the ground up for the digital age, protecting privacy and developing trust between users and organizations.

Implementing a trustworthy security strategy

Businesses now need to look above the security parapet of passwords and seek to integrate digital first authentication and verification methods which can build user confidence in digital transactions and interactions, such as behavioral biometrics.

This privacy preserving technology uses accessible and inclusive methods to authenticate users in robust ways. The technology considers contextual data to verify genuine users, such as location or typing patterns, as opposed to being a digitized version of an analogue process. These multiple layers of intelligence mean that there is no single point of failure and changes in behaviors can be quickly acted upon.

Behavioral biometrics is also friction free when it comes to the user journey and allow behaviors to be analyzed in real time. As a result, it is useful at any point of the user journey, whether that be at login or downstream. Fraud can be rapidly identified, for example when a fraudster copies and pastes an email address as part of an authentication process, a genuine user would know their own email address.

Finally, privacy is a key consideration for the modern user and while facial biometrics is now commonly used, it is not ideal from a privacy standpoint. This type of technology uses personally identifiable information to authenticate users, whereas behavioral biometrics can obfuscate the identity of the user without accessing personally identifiable information.

Layering contextual data, including device, threat detection, and cryptography, along with behavioral biometrics to positively identify users means there is less reliance on a small amount of evidence, for example a password which doesn’t necessarily prove the person is who they say they are. The approach of positive identification implements an ‘innocent until proven guilty stance’ because it means genuine users can log-in until there’s a real reason for concern.

Establishing user confidence and creating digital trust

The issue around passwords ultimately comes down to building digital trust. Digital trust is the confidence users have in the ability of people, technology, and processes to create a secure world. As things currently stand, businesses and consumers are losing out on the opportunity to build digital trust due to their reliance on weak, security technologies.

Callsign’s research has highlighted how a quarter of consumers globally receive more scam text messages than they receive from friends and families, with over half (54%) of UK consumers stating that they trust organizations less after receiving a scam message.

The research reveals that not enough is being done to secure our digital identity, and as a result, digital trust between organizations and consumers is harder to build. Organizations need to place value on consumers’ digital identity because only then will they unlock trust in online services. This is where the onus is on organizations to make sure they’re implementing secure technologies to protect users.

To achieve this, organizations should consider pivoting their security strategies away from passwords to authentication and verification methods that are fit for purpose for today’s digital age. The advantages of using alternative technologies for both organizations and users are numerous and there’s an opportunity for digital trust to be fostered, at a time when it’s harder to maintain than ever.

At TechRadar Pro, we've featured the best business VPN.

Amir Nooriala is CCO at Callsign.