World Password Day just passed, and we have to ask — are passwords passé yet? Earlier this year, in our fourth annual Data Breach Industry Forecast, we predicted aftershock breaches would hasten the demise of passwords and expedite the broader adoption of multi-factor authentication to verify users.
In 2016, incidents like the reappearance of credentials compromised in a 2014 breach of 500 million Yahoo accounts illustrated one of the many problems with passwords. As the number of breaches continues to grow, so does the likelihood of “aftershock breaches” that can affect companies and customers for years after the initial incident.
Cybersecurity professionals have known for a long time that passwords are no longer the best way to protect data and systems. In fact, according to the 2017 Data Breach Investigations Report from Verizon, 81 percent of hacking-related breaches leveraged weak or pilfered passwords.
Passwords have multiple failings. For one thing, too many people find it difficult to follow best practices for password use — multiple surveys show us that. Not even the professionals do what they’re supposed to all the time when it comes to passwords. A February 2017 survey of cybersecurity professionals attending the RSA Conference in San Francisco found 53 percent hadn’t changed their social media passwords in more than 12 months. Twenty percent hadn’t changed their passwords since opening the accounts!
What’s more, passwords are eminently hackable and vulnerable to theft. A password stolen in a data breach may be all a criminal needs to access the breached account. Since many people reuse passwords, that stolen code could grant the crook access to even more personal information and private accounts.
A better way
In our prediction, Experian Data Breach Resolution advocated multi-layer authentication as a better alternative. Secondary authentication methods, such as SMS alerts, geo location confirmation, bio metrics and tokens, could help companies solve password problems — including how to protect people who continue to reuse passwords.
Notably, the official World Password Day website, www.passwordday.org, promotes multi-layer authentication, too. The site encourages visitors to “layer up your login” for better security by choosing the free multi-factor authentication setting now available in many apps and websites.
Multi-layer authentication certainly seems to be the approach that’s going to replace one-layer password authentication. In April, Microsoft announced it will launch phone sign-in for Microsoft accounts.
“With phone sign-in, we’re shifting the security burden from your memory to your device,” wrote Alex Simons, director of program management, Microsoft identity division. “Just add your account to the Android or iOS Microsoft Authenticator app, then enter your username as usual when signing in somewhere new. Instead of entering your password, you’ll get a notification on your phone. Unlock your phone, tap ‘Approve,’ and you’re in.”
In May, TechCrunch reported Salesforce users will soon be able to enjoy passwordless access. Users download the Trusona app on their iOS or Android smartphone and set up their accounts, using a six-digit PIN or fingerprint, depending on the device. When they open Salesforce on their PC or laptop, instead of entering a password they click on the Trusona button, which brings up a QR code on the screen. Using their smartphone’s camera, they scan the QR code to log in to their Salesforce account.
The cybersecurity industry is finally embracing a variety of authentication tools, including biometrics, IP addresses, location, facial recognition, user activities and more. When layered together, these additional authentication forms could help ensure greater security for everyone in a world where passwords are, finally, passé.