Share this article on:
A combination of factors is driving passwordless from discussion topic to implementation goal.
There’s a lot of talk in Australia right now about authentication and establishing identity. The driver for much of the discussion is the relative insecurity or weakness of current methods, which has been exposed repeatedly — by accident, by hackers, or by other means.
It is good to see these kinds of discussions finally take place, and the hope is they lead to progress in the adoption of stronger forms of authentication sooner rather than later.
The end of passwords as a form of authentication, for example, cannot come soon enough. The technology to replace passwords exists, but it’s been somewhat difficult to predict exactly what will be the trigger for a critical mass of organisations to start the shift towards passwordless forms of authentication.
Increasingly, it’s become apparent that there may not be one single trigger event. Instead, it is likely that a confluence of factors will drive passwordless authentication models over the line.
Certainly, there are signs that the volume and severity of data breaches are causing Australian organisations to rethink their security in general. For example, we’ve reached a point where some breach victims are starting to more openly and transparently share how they were attacked and where their weaknesses were. This is incredibly valuable intelligence — the type of information security practitioners have often unsuccessfully sought following a high-profile attack.
This kind of intelligence-sharing can only mean good things for raising the collective security of organisations.
Collective security levels can also benefit from a more systemic and fundamental examination of security architectures and approaches. It is clear from these post-incident investigations that the continued use of passwords for authentication is a collective weakness. We know passwords are a leading cause of breaches, with 82 per cent of incidents last year resulting from stolen passwords, phishing attacks, and overall poor credential-management hygiene. We also know that 81 per cent of customers threaten to withdraw from brands that get breached.
Going passwordless promises to put a real dent in data breach figures by cutting off a key mode of entry for attackers.
More trigger points
Beyond a reduction in data breaches, there are several other factors also driving organisations towards passwordless authentication.
One of these factors is a desire to reduce instances of identity theft by making identity credentials much harder for an attacker to steal. Targeting passwords is a low-effort activity that cyber criminals prefer. But passwordless protections include biometrics, the use of hardware security keys and trusted devices, or software-based mechanisms such as QR codes and magic links. It’s much harder for an attacker to steal a physical device or intercept a one-time passcode or biometric data, and therefore they are less likely to attempt it.
Another factor that may also fuel a desire to shift to passwordless authentication is customer experience. Customers have many options these days and a limited attention span; no one wants to sign up for a new service if it’s time-consuming. In addition, complicated password rules have good intentions around security but are terrible for user experience. People are bound to forget those passwords, and resetting them adds friction to the process. Consider how many customers are typically lost at checkout and registration and the unrealised value of those customers; passwordless methods promise to increase that conversion rate.
Most organisations want to create seamless and simplified experiences for customers — whether those customers are internal, i.e. employees or external, such as shoppers. Survey numbers show that 67 per cetnt of Australian organisations see customer experience improvements as a likely outcome of moving to passwordless authentication.
A final factor that may be driving organisations down the passwordless path is a desire to unlock efficiency gains. For many organisations, a large proportion of helpdesk tickets and inquiries are still password-related. With the helpdesk a big cost centre, eliminating these tickets will reduce costs, which can vary depending on salaries paid to the IT staff and the employees who experience downtime while waiting for their service ticket to be completed.
Gauging Australia’s appetite for change
It is worth noting that Australia is ahead of the curve in at least contemplating a passwordless future.
Australian organisations are the most likely of countries globally to go down the passwordless route, according to a recent survey, with 79 per cent either “completely” or “very likely” to move in that direction. For comparative purposes, the global average is 65 per cent.
Given everything we know about password-based authentication, there really is no better time to advance from discussing or contemplating passwordless alternatives to taking action to adopt them. The only thing left is to move forward.
Once a company is ready to move forward, the first step is to centralise user authentication, also known as single sign-on. They can then add multifactor authentication for an additional layer of security, a critical step to protect against an attack, before slowly beginning to remove passwords altogether by adding risk scoring and enabling passwordless login.
Partnering with the right passwordless solution provider is also a critical step in driving adoption. The right partner will help define a personalised approach that fits the organisation’s unique needs and will ultimately ensure an easy and seamless digital experience for customers and employees, leading to long-term trust and loyalty.
Ashley Diffey is the vice-president of Asia-Pacific and Japan at Ping Identity.