It’s time to break up with your passwords

How Microsoft and other industry leaders are embracing a more secure and convenient way of logging in

We broke up with passwords, and it’s high time you did, too. Passwords have long been the standard to authenticate users, not because they’re the best method but because ‘that’s just how we’ve always done it.’ Well, we were tired of the status quo. Sorry, passwords —but it is you, not us. You deserve so much more! Passwords are vulnerable, expensive, and inconvenient. There are other fish in the sea, and these passwordless authentication options offer better protection. We’re not only surviving our breakup with passwords, we’re thriving! Find out how freedom from passwords means a more secure, affordable, and joyful future!

Passwords are vulnerable

According to a report by Forrester, 80% of security breaches involve compromised passwords.  Most password systems use a centralized directory to store passwords and authenticate users, while the users can connect through one or more networks from another location, providing two rich targets for password harvesting:

1) The directory that contains all the passwords.

2) Everything in the network between the user and the authentication service.

There’s also the human aspect of password vulnerability. Since the password is known to the user, they could divulge it through phishing attacks, write it down somewhere vulnerable, or reuse the same or similar password.

Even the biggest companies in the world, with significant resources, are susceptible to password breaches, proving its unreliability. It seems that nearly every week, there’s a news headline about a new password or identity breach involving many public and private institutions, like:

Facebook British Airways JP Morgan Chase
Twitter Target Capital One
Evite AT&T CitiGroup
Uber T-Mobile TD Ameritrade
eBay Ticketmaster Fidelity National Financial
Instagram Starbucks Bank of America
Yahoo Home Depot First American Financial

Passwords are expensive

In an often-cited 2018 study, Forrester estimated that the average password reset costs an organization $70 USD due to lost productivity and IT services required to reset the password. This means the average Fortune 500 enterprise spends an average of over $1 million annually on password-related costs. To put things in perspective, Gartner estimates that 30 to 50% of service desk calls are related to password support alone. Could your IT resources be used more effectively? We certainly think so.

Both studies are based on enterprise-class customers who take security very seriously, which suggests that the impact on smaller to medium-sized businesses may be greater in proportion. With limited IT staff and resources, password issues can disrupt operational efficiency and burden their systems.

Passwords are inconvenient

Passwords create a lot of friction for users, who must remember and manage dozens of complex and unique passwords for different accounts and services. This leads to poor password hygiene and exposure to account vulnerability. According to a survey done by LastPass of 3,750 professionals, 62% of respondents always or mostly use the same password or a similar variation.

Passwords are not only a security risk but also a productivity and user experience issue. A 2019 study by Yubico estimates that the average user spends 12 minutes a week entering and managing passwords, which adds up to about 11 hours a year.

The most privileged users, like system admins, often have the most passwords to remember and manage, compounding the problem as the credentials with the ability to cause the most damage are often the most vulnerable.

We’re fine — we have MFA

Multifactor Authentication (MFA) has become a very popular mitigation method for the security risks associated with passwords.  MFA adds another layer of verification beyond the password, like a one-time code that is sent by SMS, Email, or an Authenticator application.

While MFA is more secure than passwords alone, there are still some things to consider:

  • MFA is another layer of security that increases overall identity management complexity and expense for both organizations and users.
  • MFA can be breached through social engineering and man-in-the-middle (MiTM / AiTM) attacks commonly targeted at public Wi-Fi networks.
  • MFA does not validate end-user device security posture.
  • MFA obviously decreases the user experience through a more complex login process.
  • MFA still requires passwords, which we’ve already established are vulnerable.

No more passwords

Passwordless authentication has emerged as a better alternative to passwords. As the phrase implies, passwordless authentication is a way of verifying user identities without requiring them to enter a password. Instead, users can prove who they are using other factors, such as biometrics, mobile devices, or security keys.

Passwordless authentication offers many benefits over passwords, such as:

  • Enhanced security: Passwordless authentication eliminates the risk of phishing, credential stuffing, brute force, and other password-based attacks. It reduces the attack surface, as there are no passwords to be stolen or compromised. Instead, it relies on cryptographic keys or tokens for authentication that are unique and hard to spoof or copy.
  • Improved user experience: Passwordless authentication simplifies and streamlines the login process, as users do not have to remember, type, or reset passwords. It also enables seamless and consistent access across different devices and platforms since users can use the same factor to authenticate on any device. Passwordless authentication also supports user preferences and accessibility, allowing users to choose the factor that suits them best, such as fingerprint, face, voice, or SMS.
  • Reduced costs and complexity: Passwordless authentication eliminates the need for password management and reset tools, which can be costly and complex to maintain. It also reduces the burden on IT and helpdesk staff, who must deal with password-related issues and requests. With no passwords to be stored or transmitted, compliance and regulatory risks are lowered.

The solutions available

It’s evident that this is the way forward for many organizations. In its 2022 report Emerging Technologies and Trends Impact Radar, Gartner states that password removal is critical for most organizations to reduce security risk and improve employee and customer experience.

Passwordless authentication is not a futuristic or niche concept but a reality that has already been adopted by many industry leaders and organizations. Microsoft, for example, has been a pioneer and advocate of passwordless authentication, both for its own employees and customers. Microsoft has enabled passwordless authentication for itsEntra ID / Azure Active Directory (AAD) service, which is used by over 200 million users and 90% of Fortune 500 companies. Users can sign in to AAD using Windows Hello, Microsoft Authenticator app, or FIDO2 security keys without entering a password.

Microsoft has also made passwordless authentication available for its consumer services, such as Outlook, Skype, and Xbox, as well as for its Windows 10 and 11 operating systems. Microsoft claims that passwordless authentication has increased security, productivity, and user satisfaction and reduced password-related costs by 87%.

Microsoft is not alone in embracing passwordless authentication. Other tech giants, such as Google, Apple, and Facebook, have all implemented passwordless authentication for their users and services, using various factors, such as biometrics, mobile devices, and security keys. Moreover, passwordless authentication is gaining traction across different industries and sectors, such as banking, healthcare, education, and government. According to a report by Forrester, more than two-thirds of organizations surveyed have a passwordless initiative, and IDC expects 90% of enterprise-class organizations will offer passwordless authentication to their users by 2025.

Passwordless authentication is a good fit for many organizations and use cases, especially as part of a zero-trust initiative. However, there are still some challenges that may not make it fit for your organization or all your scenarios.  Some challenges you may need to address include:

  • Integration with legacy applications and platforms
  • Implementation and operational costs (CapEx and OpEx)
  • Device vulnerability management
  • Environmental considerations (biometrics in harsh environments like extreme heat, cold etc.)
  • User privacy

The end of the password-dominated era

Passwordless authentication is the future of online security and identity. It offers a more secure and convenient way of logging in without compromising user experience or privacy. Organizations will reduce costs, complexity, and risks while increasing productivity, efficiency, and customer loyalty.

This is not a one-size-fits-all solution but rather a flexible and adaptable one that can cater to different user needs and scenarios. Passwordless authentication is not a replacement for passwords but a complement and an evolution that can coexist and integrate with passwords until passwords become obsolete and unnecessary.

Good news — if you are already using Entra Id / AAD as part of a Microsoft cloud service such as M365 or Azure, you already have a license for passwordless authentication. Let’s talk about your Identity and Access Management (IAM) strategy and whether it’s time to break up with passwords for a passwordless solution that makes sense for your organization.

New call-to-action
Colin Smith

Subscribe our newsletter

Enter your email to get latest updates.