Why it’s time to leave passwords in the past

An open lock against a computer background.
Image Credit: JanBaby / Pixabay (Image credit: Pixabay)

Passwords may seem like the obvious choice to keep digital accounts safe, but they don’t solve all security concerns, and they certainly don’t make life easier for users. Simply put - we’re overloaded with passwords. 42% of consumers have more than 20 active online accounts, so it’s unsurprising that almost two-thirds of consumers feel overwhelmed with the number of passwords they have to manage. Frustration around password creation is resulting in careless cybersecurity habits, such as using weak or easy passwords or the same password for all accounts. 80% of web application breaches are caused by compromised credentials. With password and phishing attacks on the rise, and the cost of these attacks growing as organizations become increasingly digitized, it’s time we left passwords in the past to allow organizations to reap the benefits of better user experiences, higher productivity, lower support costs and enhanced security.

Stephen McDermid

Chief Security Officer for EMEA at Okta.

The impact on users

33% of UK consumers state feeling overwhelmed and frustrated when asked to create a password, and even once set up with one, problematic user experience persists. In Okta’s 2023 Customer Identity Report, 63% of UK respondents stated that at least once a month they’re unable to login to an account because they’ve forgotten their username or password. 24% encounter this issue at least once a week and for over 1 in 20 it’s a daily occurrence. This is a problem for businesses as well as individuals, with workplace password logins failing over 8% of the time, creating unnecessary hurdles, wasting time and driving up help desk requests.

More concerning is the unsuitability of passwords for protecting against the complexity of modern attacks. Users – understandably – suffer password fatigue and reuse simple passwords, allowing threat actors to easily breach multiple accounts. At the same time, hackers have access to highly sophisticated tools, putting even the most complex passwords at risk. Once compromised, these passwords often provide a back-door to multiple accounts.

Cross-industry vulnerability

Private sector organization's are not alone in facing these types of attacks. Governments across the globe are equally under threat from cybercriminals targeting passwords. SpyCloud’s 2023 Identity Exposure Report revealed that “.gov” emails were susceptible to nearly 700 breaches in 2022 as 61% of government employees with more than one password exposed in the last year had reused passwords across multiple accounts. To highlight this issue the U.S. Department of the Interior Office Inspector General conducted a cybersecurity exercise and were able to obtain passwords for 16% of its user accounts.

Vulnerability is clearly widespread with government officials, private sector workers and the public all experiencing password fatigue, security issues and forgotten passwords. It raises the question; how can we more conveniently and effectively secure our accounts and data?

Embracing passkeys

Simple passwordless technologies like passkeys can make life easier and more secure for users. With passkeys, the sign-in experience is as easy as unlocking your phone, and it eliminates one of the weakest links in the security chain: the password. Passkeys work by authenticating users through public key cryptography, which is much safer and more difficult to crack than a simple password. Customers can access their passkey with biometrics, a numerical pin or even a pattern. That way they can never lose their password or be tricked into giving it away. Once customers set up their passkey, they can sync it across all their devices so that it is available whenever it's needed which is both convenient and easy for customers.

Despite the benefits, there has been some hesitation to adopt passwordless technology. Some developers, and indeed consumers, have a reluctance to embrace this change as passwords have been the default method for decades. For all their flaws, passwords today are a known entity. IT teams know how to implement and manage them, end users know how to create and reset them. Often their familiarity can outweigh the risk. But biometric and passkey solutions have been thoroughly tested, proven effective and are readily available for immediate implementation. To improve cybersecurity, companies must champion the use of passwordless alternatives rather than making password requirements increasingly complex in a bid to make them more difficult to compromise.

Industries such as healthcare, financial services and the public sector, which handle vast volumes of user data on a daily basis, should lead by example. The time for them to do so is now, as there are few barriers to making the switch to passwordless solutions, with many identity management providers offering low-code/no-code platforms. Through these offerings, even smaller organizations with less well-resourced IT teams have the opportunity to upgrade their cybersecurity and better protect their customers.

The passwordless future

The line of defense that passwords offer is too fragile against the modern cybercriminal. With that in mind, it’s vital that we better secure our data and digital identities while simultaneously improving the user experience. Ultimately, the sooner we can switch to passwordless, the better. By doing so, organizations can start enjoying the benefits of passwordless authentication: better user experiences, higher productivity, lower support costs and of course, enhanced security.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Stephen McDermid is Chief Security Officer for EMEA at Okta.