How to move away from the weakest link in fraud prevention – passwords. SJUK hears from Matt Berzinski, Senior Director at Ping Identity.
The password is one of life’s necessary evils. We all have too many to remember and tend to forget them. And if we delegate login responsibility to a password manager, we then get frustrated all over again when forms do not autofill.
Our State of Customer Identity report reveals that more than half of consumers (54%) complain that they have too many passwords to keep track of and 59% admit their primary method of storing passwords is simply remembering them. Against this backdrop, passwords are also the gateway to billions of dollars of fraud each year, and ever more complex passwords aren’t the solution.
Around ten years ago, multi-factor authentication became popular. Back in 2019, Google estimated that MFA on-device prompts prevented 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks by hackers trying to login as you. As of this year, half of consumers feel better about using an online service that uses MFA as it suggests that the business cares about protecting their customers’ data, according to our same report. But criminals adapt, and while MFA works, a user being targeted and receiving hundreds of authentication prompts only needs to click ‘that’s me’ once for the attacker to gain access. Let Uber’s data breach last year teach us a lesson; a hacker bought stolen credentials from the dark web, initially failed to access Uber’s network due to MFA, but posed as a member of Uber’s security on WhatsApp to trick an employee into approving a flood of MFA notifications on their phone.
The need to replace the easily forgotten and highly hackable strings of letters and numbers, which we use to access everyday life, has therefore become more important. Despite people being creatures of habit, it is a needed transition. It will take time to inspire confidence in alternatives to passwords, but we can start by improving understanding of how passwordless systems work.
There are moves to end email phishing scams forever through a passwordless approach. This entails a user setting up their account once, and then using a range of methods such as push notifications, one-time passwords, passkeys and biometrics to gauge whether a login attempt is genuine. Heightened security measures in the past have resulted in digital experiences being flooded with obstacles and checks, preventing organisations from providing a quality and seamless experience to their customers. But breakthroughs in artificial intelligence mean not only does most of the work happen in the background, but the accuracy allows for a more seamless user experience. So, people can get user-friendly convenience and robust security in equal measure.
In practice, passwordless authentication replaces the reliance on ‘something you know’, like a password or your mother’s maiden name. Instead, the system identifies ‘something you are’ (e.g., your face or fingerprint) or something you have (e.g., a smartphone to receive a prompt). The more advanced passwordless authenticators use signals and behavioural insights to analyse the likelihood of an authentic login and send the right type of prompt to the user. So if there is high trust in the attempt, the user will be permitted without the need for a check.
These signals could be your location, IP address, or approved device MAC address, while behaviours include user preferences and choices. Are you logging in at the time you usually do on a browser you always use? How are you typing or using the mouse (this easily filters out bots)? Are you trying to access company resources that you haven’t before? By combining and analysing all these readings, the passwordless system will give each user login attempt a risk score. If a certain threshold is breached, either a prompt is sent to check it is a genuine login attempt or the session can be closed completely and the user kicked out if there are too many red flags.
Businesses that hesitate on going passwordless could be jeopardising security, stalling employee productivity and even losing customers. Organisations that have begun passwordless implementation understand the timely importance, cost benefits and employee excitement that can come with such a move. Forrester researchers found that the typical cost of a single password reset is $70, with the average large enterprise allocating over $1 million annually to password-related support costs. As passwords have been deeply ingrained into our online lives for so long, organisations are probably unaware of the money saving opportunity in moving away from them.
Moreover, a passwordless approach helps proactively defend against costly cyber-attacks and unauthorised access. In turn, organisations can deliver an experience that empowers internal users to access information without needing to know a password. This will eliminate account lockouts, reduce the volume of IT tickets and increase employee productivity.
When it comes to deployment, there is no one-size-fits-all approach to passwordless. As it is new to many, companies will have to evaluate their own fraud and risk priorities. For those getting started, one of the most useful things a company can do is develop their software services using accepted standards like SAML and OAuth and OpenID Connect. FIDO2 WebAuthn has also become very popular, partly because of the adoption by Apple, Google, and Microsoft as well as the makers of several popular devices, browsers, and operating systems. Once the preparation has been done, a company can then design authentication journeys that balance security and login friction for employees, suppliers and customers. Of course, while the rollout is underway, it is critical not to disable existing authentication methods until enough telemetry has been collected to surface emerging issues.
AI is core to the development and implementation of passwordless authentication. AI algorithms learn about each login attempt and refine each user’s profile using the vast amounts of data it accumulates. You might be familiar with these models that are already in place in banking. They help ensure transactions are genuine, identify when customers are abroad and prompt for a PIN entry every so-many contactless transactions. Now, they are helping lock out bad actors from gaining unauthorised access to systems and resources and reducing the risk of compromise.
Another benefit of implementing AI in passwordless is that it can swiftly identify and prevent potential cyber threats as and when they are attempted. Conventional password systems typically depend on responsive measures, like notifying users about suspicious activity after a security breach has taken place. Instead, AI-driven authentication systems can pre-emptively recognise and hinder unauthorised access attempts before they can cause damage. AI algorithms can detect any anomalies that might suggest a cyberattack is on the horizon and take the required action.
People are a target when it comes to fraud, but passwords are an anachronism that should be retired as soon as possible. Attackers use stolen credentials more than phishing techniques or exploiting a vulnerability to access companies according to Verizon. This alone should give us the impetus to explore and deploy passwordless. The identity access management industry is working to put the standards in place so this change can happen quickly and be deployed across a wide range of enterprise and consumer applications. Fraud management technology can be folded into the authentication experience, so hopefully in the not-too-distant future, we’ll all be able to make a real dent in fraudsters’ ability to dupe people and companies out of their money.