Mobile Search Mobile Menu

By James Quick

Maybe “World Password Day” Should Be “World Authentication Day”

In case you missed the memo, May 7th is World Password Day. Or maybe you knew it and decided to pass on celebrating, with good reason. Strong and multi-factor authentication has proven to be more secure than passwords.

Passwords have been used for centuries to gain restricted entry or attain exclusive membership. But do we still need them today? Or should I say, are we continuing to use them where something safer and more efficient is in order? It baffles me to see companies still allowing their workers to use weak passwords. Granted, trying to come up with unique, strong passwords is annoying, and they add friction to the user experience. And, while they may make it easy for companies to deploy, they aren’t doing themselves any favors by putting their businesses and customers at risk.

Users are the hacker’s path of least resistance

Hackers will always choose the path of least resistance. They can scan network devices for open ports and misconfigurations, but for every network device, there can be thousands of users. So, duh, why not target users? Employees are a delicacy in satiating the hacker’s malicious appetite for data because they are a path of least resistance. You can read many examples of this in the 2019 Verizon Data Breach Investigations Report. The report found over eighty percent of hacking-related breaches leveraged stolen or weak passwords. 

Password fatigue has become widespread, and with so many portals, websites, devices, and applications in use today, we need a better access security model. We need stronger authentication methods that don’t rely so much on human effort. When the same simple, easy to remember password is used for logging into social media, online banking, shopping, healthcare, and other sites, and one is breached, all of the user’s accounts are vulnerable. 

Strong and multi-factor authentication uses software to analyze the user request to determine the trust or risk level. High trust, versus low to medium trust, will make the difference in the authentication factors that systems require, based on policy and context. For example, if a high-volume user requests something out of the norm, the authentication system’s risk profile might flag the request as a malicious event, and block the transaction.

Moving beyond passwords

Those who pass on celebrating World Password Day, are more than likely using strong or multi-factor authentication, or risk engine to identify suspicious behavior prior to granting access. Not only does this improve the user experience, but it also enhances the company’s security posture. 

As we consider World Password Day, the obvious question is, will passwords go away? And what will replace them? Below are some alternatives:

  • Passphrase authentication
  • Password-less authentication
  • Web browser authentication 
  • Operating system authentication
  • Biometrics authentication 
  • Multi-factor authentication

New password-less technologies will ease access management while ensuring greater protection of corporate and personal data. 

Passwords have been around for generations. And just as many password intrigues went out of fashion, or their purpose expired, passwords for getting into corporate systems will go away, too.