According to a data breach report by Surfshark, Malaysia is the 11th most data-breached country in the second quarter of 2022. With stolen or compromised credentials often being responsible for cyberattacks, one cannot help but to wonder: is password protection sufficient enough?
BusinessToday spoke to Andrew Shikiar, Executive Director, FIDO Alliance, on his thoughts on the vulnerabilities of passwords and the challenges of going passwordless, among others.
- What are some of the passwords’ vulnerabilities, and why do organizations need to move away from them urgently?
Experts have long warned about the fallibility of knowledge-based credentials such as passwords. At their core, passwords are human-readable, which means they can be stolen, hacked, and manipulated by cybercriminals through various means, such as phishing, keystroke logging, and brute force.
Furthermore, password reuse is widespread in organizations, and employees reuse a password an average of 13 times, according to a report by LogMeIn. Poor cyber hygiene habits such as this potentially expose a user’s entire chain of accounts, including organizational ones, which can lead to devastating consequences for personal privacy and workplace security. It’s little wonder that the vast majority of data breaches stem from issues with knowledge-based credentials.
In Malaysia, cyberattacks are also becoming more rampant, resulting in billions in losses and disruptions in companies’ operations. As many industries in the country continue to digitize and more people spend time online, organizations need to improve their cyber security and be better positioned against cyber threats. Thus, instead of relying on knowledge-based “secrets” that can be easily compromised, they should leave passwords behind and move towards cryptographically secure authentication techniques that are not susceptible to remote attacks.
- What are other authentication methods available that are more secure than passwords?
Asymmetric public key cryptography methods are far more secure than passwords — and can be easier to use. Common approaches include on-device biometrics and security keys that leverage public key cryptography in user-friendly formats, which can be as easy as using a smartphone’s biometrics or touching a security key.
While this only requires a single gesture by the user, behind the scenes, an advanced cryptographic authentication dialogue takes place between a “private key” stored securely on the user’s device and its “public key” counterpart on the service provider’s server. More importantly, all verification and login credentials never leave the user’s device, making this method resistant to remote attacks.
The good news is that this technology is already embedded in billions of devices worldwide and available to anyone using a modern Internet browser. In addition, Apple, Google and Microsoft have expanded their commitment to enable closer OS integration with a common passwordless standard created by the FIDO Alliance and World Wide Web Consortium, which would enable consumers to log into their accounts across their devices and platforms without requiring passwords.
- How can cyberattacks affect users’ confidence in cybersecurity and what can be done to restore this trust?
Whenever a cyberattack occurs, it puts consumers’ personal data and credentials at high risk. Failure to recover will erode consumers’ trust, leading to a potential loss of users and reputational damage. According to Experian’s 2022 Global Identity and Fraud Report, four in five APAC consumers expect businesses to take the necessary measures to protect them online – putting more pressure on companies to ramp up their digital capabilities and strengthen their security. Hence, organizations must ensure more robust cybersecurity through the right authentication solutions, allowing consumers to feel safe and secure while making online transactions.
- Besides stronger cybersecurity, what are other benefits of adopting passwordless authentication for businesses?
There has been a growing consumer ease and trust in advanced forms of digital authentication. A seamless digital experience continues to be a priority for consumers, who trust businesses more if they can recognize them on a repeated basis without additional layers of verification. By providing a simpler, stronger authentication process, consumers are more likely to engage and transact more often with these businesses – including a reduction in shopping cart abandonment.
Today, there are already technology solutions available that businesses can adopt to make users’ experiences more seamless and secure. Modern features such as on-device biometrics or PINs, for instance, allow users to authenticate more quickly without compromising on security and privacy. Users would no longer need to remember complex, multiple passwords for different devices and platforms – simplifying their digital experience.
Furthermore, passwords are costly for IT. Lost and forgotten passwords need to be reset, most of the time through the help desk, which introduces considerable employee downtime and expense. Adopting passwordless authentication helps businesses reduce not only operational costs, but also valuable time spent on password management and recovery.
- What are some of the challenges companies may face in going passwordless, and how can they overcome them?
Despite IT leaders acknowledging the benefits of going passwordless, companies still face challenges and resistance when implementing passwordless authentication. According to findings by Ping Identity and Yubico, the top barriers to adopting passwordless authentication are a lack of urgency from IT or business leaders (46%) and the lack of expertise (33%).
Nevertheless, organizations must overcome these challenges as multifactor possession-based authentication (such as passwords) has proven to be effective in guarding against remote attacks. For example, they can work with experts in passwordless authentication to help equip them with the right solutions and make the transition.
Mitigating cyberthreats is an ever-evolving challenge. However, with credential theft making up a large proportion of successful cyberattacks, all organizations – large and small – need to ensure that this does not happen through more modern and secure authentication methods.
