Thought Leadership
Passwords are an inseparable part of everyday computing – at least that’s how it used to be.
In view of growing cyberattacks and ever-increasing security requirements, especially for highly sensitive data, the classic password is no longer sufficient as a security concept. Approaches such as Passkeys, Yubikeys and WebAuthn are far more effective.
If you want to protect your digital account, you naturally use a password. But is this really the best choice? In fact, this method is nowhere near as secure as many people think. What’s more, it is now overwhelming users. A full 39 percent of consumers in Europe have more than 20 active online accounts – and two thirds have trouble managing the many passwords. This can ultimately lead to careless behavior in this important area, for example in the form of weak, particularly simple passwords or the “one for all” principle. Around 80 percent of all breaches in the context of web applications are caused by compromised login information.
The fact is: password and phishing attacks are increasing significantly in the course of digitalization, and so are the costs. It is therefore high time to say goodbye to the password as a central security element and turn to other solutions. Companies benefit from this in a number of ways: greater user-friendliness, higher productivity, lower support costs and, of course, greater security.
What users get out of it
In Okta’s Customer Identity Report 2023, almost a quarter of respondents stated that simply being asked to create a new password causes increasing frustration. Even if these users have already set up a password, the process is not particularly convenient. Almost two thirds of respondents have problems logging in to one of their accounts at least once a month – either because they have forgotten their username or their password. A quarter are annoyed by this at least once a week, and six percent do it every day. In companies, password problems lead to concrete failures in over eight percent of all incidents – and thus to the creation of new hurdles, wasted time and increased use of the helpdesk.
Unsuitable passwords are even more problematic when they are used to protect against complex attacks. Weak words make it easy for attackers to crack several accounts at once. In addition, hackers today have access to sophisticated tools that can make even highly complex passwords dangerous. Once compromised, these passwords then act as a backdoor to multiple accounts.
Weak points in business and administration
However, companies are not the only ones facing such attacks, governments around the world are also under threat from cybercriminals targeting passwords. SpyCloud’s Identity Exposure Report 2023 shows that there were almost 700 breaches of “.gov” emails in 2022. One of the reasons: 61 percent of government employees with multiple password-protected accounts used the same password. To draw attention to this problem, the Office Inspector General of the US Department of the Interior conducted a cybersecurity exercise – with alarming results: 16 percent of passwords for all user accounts could be cracked. This raises the question: How can accounts and data be secured more effectively?
The solution: WebAuthn and Passkeys
Passkeys and WebAuthn are key technologies for a passwordless future to make the lives of all users significantly easier and more secure. WebAuthn, developed by the FIDO Alliance and the W3C, enables secure authentication through cryptographic key pairs and hardware-based methods such as fingerprints or security keys. Passkeys use WebAuthn technology, but are even more user-friendly and deeply integrated into operating systems, enabling seamless and secure authentication. Both technologies work together to replace passwords with more secure and convenient methods and increase security in the digital space.
Passkeys authenticate users using public key cryptography. This is much more difficult to circumvent than a simple password. Users can access their “master key” with biometric data, a numerical PIN or even a specific pattern. No password can be lost or accidentally revealed. Once customers have set up their passkey, they can synchronize it on all their devices. This means it is available at all times – particularly easy and convenient for users.
Not an easy path
Why has this approach not yet gained widespread acceptance? Many potential users are hesitant because they have been used to passwords as a standard method for decades. IT teams know how to implement and manage them, users know how to create and reset them. This shows that habituation can overshadow the risks.
After thorough testing, biometric and passkey solutions have proven to be highly effective – and they are ready for immediate use. What’s more, they are definitely a better solution than what many companies see as the apparent solution: Making password requirements ever more complex. Industries such as healthcare, financial services and the public sector, which work with countless user data on a daily basis, can set a good example here. And all the more so as there are few barriers to switching to passwordless solutions.
Many providers of identity management and low-code/no-code platforms also give smaller companies with less well-equipped IT teams the opportunity to optimize their cyber security and better protect their customers. Passwords definitely do not provide sufficient protection against cybercriminals. The sooner you switch to passwordless solutions, the better the security.
