We’re all looking to be as secure as possible. This is as true with our homes as it is with our data, and although we take great lengths to secure our physical property, we can sometimes be a little too casual with our electronic property.
But let’s face it, passwords can be a real drag, and having to remember too many of them while satisfying various security protocols and keeping them updated can be near impossible. This is why any effective security practice that doesn’t involve passwords has to be worth investigating.
We’ll look at what’s involved in passwordless authentication and see what it can do to enhance security while not testing your patience.
What is passwordless authentication?
Passwordless authentication is a means of ensuring cybersecurity without asking the user to present a piece of confidential information. How does it work? It’s often based on Multi-Factor Authentication (MFA), i.e., a process by which more than one technique is employed to establish identity. There are three common methods that might be used.
Possession of device
When somebody attemps to gain access to an account, the account organisation will send a message containing a random sequence of letters or numbers to a device. This device is one that the user has previously registered as being theirs. The sequence is then entered into the account interface and access is granted.
This method is based on the calculation that it’s extremely unlikely that any illegitimate entity trying to gain access to an account will also have access to the account holder’s phone, for instance.
Factor inherent to the user
This method is usually based on a physical characteristic so that, for instance, face ID can unlock an account. This gives excellent protection—unless your evil identical twin is trying to hack into your business.
Similar to device-possession authentication, these are links sent to the user’s email that, when followed, grant access to the account the user’s trying to get into.
By investing in these kinds of improvements, companies can look to enhance their security profile through awards such as data privacy certification by AuditBoard.
How do phishing attacks work?
Free to use image sourced from Pixabay
Phishing attacks are the means by which illegitimate parties gain confidential information from their victims. Emails are sent out, usually vast numbers at a time, containing fraudulent information that is intended to persuade the recipient to click on a link contained within the email.
Once they’ve clicked the link, they’re taken to a domain owned by the phishers and enticed to enter some confidential details. This might include bank account data, contact information, or, very pertinent to this piece, login details, including passwords.
How does passwordless authentication help?
1. No password, no information to leak
If access to an account is password-protected, then there’s always a chance that the password will fall into the wrong hands. It’s a huge problem. It’s reckoned that 81% of data breaches happen because of poor password security.
It can happen through the above-described phishing route, or perhaps a user casually shares it with a colleague or just writes it on a post-it attached to the monitor (we’ve all seen it done)—there are myriad ways a password can fall into the wrong hands.
Suppose security is based on, say, a fingerprint. In that case, unless the user’s utterly immoderate in their touching habits, there’s much less chance of it being acquired by an unauthorized agency than would be the case with a password.
Another example would be the profile of a user’s voice. This is especially useful when it comes to making sensitive telephone calls. If the receiving body has the voice profile on file, then when the user makes their VoIP call to them, their voice can be automatically assessed for authenticity. Convenient and secure – this is why passwordless authentication is taking off.
OK, you might say, can’t a recording of the user’s voice be used to gain access to a system that uses voice authentication? Well, yes, although authentication often involves the delivery of a certain phrase. The chances of an illegitimate body being able to access a recording of that phrase being said without the person in question knowing are somewhat slim.
In any case, this is why MFA often incorporates both password and passwordless authentication. Together, they make for a pretty watertight seal. This is good news for users, customers, and, not least, businesses, as examples of fines for breaches are eye-watering. Ask Meta, for instance.
2. Better UX
Whether you’re in a parked call or a store queue, we all appreciate improvements to UX. Password management is no different. We all hate having to cart around innumerable passwords. The average person now has an almost incredible 100 passwords to sift through. What a pain. Not only are they onerous to remember, but they also interrupt the flow of work when you have a succession of different password-protected areas to access.
With so many different activities requiring passwords, it’s a wonder we don’t use the same passwords for more than one application. Actually, we do.
Image sourced from PCMag
As you can see, that’s a whopping 70% of respondents using the same password for more than one login. You can see how this falls into the phisher’s scaly hands. All of a sudden, instead of just getting one gateway password, they’re getting a veritable skeleton key that can get them through all manner of different doorways.
All this because users find it too tricky to handle a different password for each activity. The answer is clearly to cut the requirement for this so that when it eventually transpires that a user is asked to generate a password, they’ll have the mental energy and positive mindset to come up with something unique.
3. Ease IT’s burden
One oft-forgotten victim of the various woes we’ve all experienced when dealing with IT, is the IT department itself. It’s easy to believe that the binary-boffins within are just crazy about everything to do with computers, and they just love all aspects of their use.
Contrary to this kind of thinking, the staff in IT don’t want to spend their days helping hapless individuals to access their accounts when they’ve forgotten their passwords. But do it, they do. In fact, a company of 15,000 employees can spend up to $5.2 million yearly in labor costs resetting passwords.
Similarly, there’s a limit to their enthusiasm for hassling people about security. They don’t want to be nagging about the evils of password-sharing, but when being all-too-giving with your password is at a ridiculously high level, they have little choice. We love to share.
Image sourced from GoodFirms
As far as the workplace is concerned, it’s been reported that up to 41.7% of employees have admitted sharing their passwords with a colleague. This is a risk of almost immeasurable proportions. When it comes to cybersecurity, employees are the weakest link.
Imagine if the good people of the IT department weren’t forever chasing some of us to use slightly more secure passwords than 123456, while being at the beck and call of others of us who are continually calling for a password reset. Think how much more time, attention, and energy they could devote to bolstering an organization’s defenses against threats such as phishing attacks.
In this way, having a passwordless authentication system frees up the digital staff to do what they’re really good at, i.e., to use their brains and get creative in beating the bad guys and improving phishing protection.
Whether you want to counter threats in an office or your focus is more on improving security when working from home, it’s well worth looking into what passwordless authentication can do for you and your business.
By freeing everyone of the tiresome burden of password tyranny, it enables unhindered access by legitimate agents while giving phishers nothing but an empty hook. Be gone, phisherfolk!
Grace Lau – Director of Growth Content, Dialpad
Grace Lau is the Director of Growth Content at Dialpad, an AI-powered cloud communication platform for better and easier team collaboration with features like being able to transfer a call in just one click. She has over 10 years of experience in content writing and strategy. Currently, she is responsible for leading branded and editorial content strategies, partnering with SEO and Ops teams to build and nurture content. Here is her LinkedIn.