The problem with passwords is not what you think

Last year, around half (49%) of reported data breaches, including 86% of web application breaches, involved the use of stolen credentials: user names and passwords. In Australia, 1.8 million accounts were breached in the first quarter of 2024 alone. When it comes to secure authentication, there seems to be a lesson we’re not learning.

We know that passwords are vulnerable to being cracked, exposed or stolen and used against us, but many organisations still rely on them for securing access. There are a number of reasons for this — and it is important to remember those reasons when we try to replace or supplement them.

Passwords are convenient. They’re familiar and both users and administrators understand them. They’re easy to implement and require minimal infrastructure and investment. There’s no need for additional hardware and they’re everywhere. Nearly every service and device supports password authentication.

Reducing our reliance on passwords

When considering alternatives to passwords, it’s important to prioritise security, usability and scalability to ensure a seamless and secure authentication experience for users. If you introduce too much complexity and friction, people will find a way around it.

Here are some other types of authentication that can help organisations boost their security without alienating the people they rely on to make it work.

1. Two-factor authentication/multi-factor authentication (2FA/MFA)

These have become the security default for applications. 2FA requires users to provide two forms of identification before gaining access, typically something they know, like a password, and something they have, like a code shared over a mobile device. There’s very little extra time and friction involved. MFA adds additional layers of authentication, such as something the user is (biometrics) or something the user does (behavioural biometrics). In recent years, however, attackers have learned how to breach MFA through targeted phishing or ‘MFA fatigue’ where they bombard the user with sign-in notifications.

2. Single sign-on (SSO)

SSO allows users to access multiple applications with a single set of login credentials, reducing the need for multiple passwords and simplifying the user experience. This is very effective for internal business applications, but it can be time-intensive to set up and connect. SSO can also be risky if applied to wider internet activity and access is gained using the credentials for popular online services such as Google, Facebook, Apple, Yahoo and Microsoft. Although this makes signing on very simple, if an account with one of these services is compromised, the attackers can access any service which has used that account for single sign-on. Further, data is often shared between services and users may not always be aware of this.

3. Biometric authentication

This includes methods such as fingerprint recognition, facial recognition, iris scanning and voice recognition. Behavioural biometrics uses how a person walks, types or handles a device. The advantages of biometric authentication are that it provides a high level of security and user convenience. Many people may be familiar with biometrics because multiple consumer devices already feature biometric authentication capabilities. This can make it easier to deploy the technology in a business setting.

A biometric authentication experience is often quick and smooth because it doesn’t require a user to recall a password or security question/answer. However, not every device can handle biometric authentication and it can be expensive to implement the required technology. Employees also need to be comfortable sharing their biometric data with their employer.

4. Hardware tokens

These physical devices generate one-time, often time-limited codes or cryptographic keys for authentication, adding an extra layer of security. An attacker would need physical access to the token and also know the user’s credentials to infiltrate the account. However, while you can reset a forgotten password, lost hardware is still lost hardware, so the IT team needs to have a backup plan.

5. Certificate-based authentication

These are digital certificates issued by a certificate authority and public key cryptography to verify user identity. The certificate stores identification information and the public key, while the user has the private key stored virtually. It’s a good authentication option for companies that employ contractors who need temporary network access. However, it can be expensive and time-consuming to implement.

Last but not least, there is a dynamic approach known as risk-based authentication. This method assesses the risk associated with a login attempt based on various factors such as user behaviour, location and device information, and adjusts the authentication requirements accordingly.

The takeaway

The focus for secure access needs to shift from just eliminating passwords towards eliminating the need for passwords.

Passwordless access methods aim to achieve this by relying on alternative or supplementary authentication methods that are more secure and user-friendly — such as those listed above — often as part of a broader zero trust access approach. Both passwordless access and zero trust help to strengthen security and improve the user experience in today’s evolving threat landscape. Together they may finally break our emotional and enduring bond with passwords.

Image credit: iStock.com/ArtemisDiana