This year has shaped up to be one of the most challenging for many organizations worldwide. With a pandemic driving a large-scale transition to remote work, and cybercriminal activity taking advantage of the situation, online security is in the spotlight. Recent research found that 67 percent of breaches are caused by credential theft and social engineering attacks that capitalize on moments in time like COVID-19. And, today’s IT teams are spending an average of six hours a week on password-related issues alone – an increase of 25% from 2019. With these mounting frustrations from both IT and users, as well as growing risks, the question becomes: why do we keep relying on passwords?
Passwords have been a reality of daily life since we can remember. They continue to be the easiest and most used form of authentication both at the business and personal levels. Yet, they also continue to be one of the major drivers for vulnerabilities, and with a workforce that is operating remotely for the foreseeable future, it is paramount to find a solution that reduces risk.
In our most recent LastPass report, “From Passwords to Passwordless,” we found that password security is one of the main sources of frustration for the IT department, particularly when issues are derived from user behaviors like password reuse. For employees, top frustrations lie in convenience like changing passwords regularly, remembering multiple passwords and typing long, complex passwords. There is a clear disconnect between the security priorities of IT and the user experience demands of employees. So, what can be done to alleviate the password problem?
Despite questions around the future of the password, 85 percent of IT professionals surveyed do not think passwords are going away completely. Yet, over 92 percent believe that delivering a passwordless experience for end-users is the future for their organization. The answer to the password predicament is simple: rather than eliminate passwords completely – change the way we interact with them. This is where passwordless authentication comes in.
A passwordless login experience means that while passwords may still exist in the IT infrastructure, the employee will not have to manually enter a password during their login. It brings several benefits such as reduced IT costs by eliminating password related risks, increased productivity amongst employees as they save time on remembering and/or changing passwords, and stronger security by guarding every access point with more secure forms of authentication. However, moving into a passwordless approach requires choosing and implementing the technology that fits your organizations’ needs. Some of the methods to choose from are:
Implementing single-sign-on (SSO) can help secure and simplify managing access no matter where employees are located. Through a protocol – such as Security Assertion Markup Language (SAML) – SSO establishes a secure line between an identity provider and a service provider, meaning it creates a link between where IT manages employees access information and the application users want to login into. SSO allows for employees to reduce the number of passwords they must remember or update, boosting their productivity and minimizing the risks associated with credentials.
Enabling multifactor authentication (MFA) provides IT teams with the tools to manage access at the individual user level, defined groups or even by job role. MFA considers a multitude of factors such as location, IP address or biometrics (face ID) versus only one factor – such as a password – prior to granting access to an application. By prompting a user for additional information when logging in, IT can be confident that the person requesting access is indeed who they say they are. It also streamlines the process for the final user that will have a faster and easier login experience.
Organizations and users alike, should keep in mind that passwords will still be in use for a long time. Combining a passwordless login experience with a password manager will be the best way to secure all access points while delivering a seamless login experience.
As we continue to navigate a “work from anywhere” world, many elements are outside the IT teams’ control. From users’ devices and Wi-Fi connection, to the apps and websites they frequent, remote work has increased the risks and the variables that need to be thought of. This Cybersecurity Awareness Month is the perfect time to consider, is your organization ready to go passwordless? Start examining the best way to implement a seamless, streamlined and secure way for employees to log into all their work, no matter where they are located – today.
Author Bio: Gerald Beuchelt is the Chief Information Security Officer at LogMeIn. He is responsible for the company’s overall security, compliance, and technical privacy program. With more than 20 years of experience working in information security, he is a member of the Board of Directors and the IT Sector Chief for the Boston Chapter of InfraGard. In his prior role, Gerald was the Chief Security Officer for Demandware, a Salesforce Company. Gerald also serves as Director and Treasurer for the NCSA.