Why are passwords so difficult to replace?

Nic Sarginson, Principal Solutions Engineer at Yubico outlines how the dangers of passwords should be a wake-up call for businesses and employees engaging in risky password activities.

This year, World Password Day was an annual reminder of the importance of online security was even more acute. We’ve all relied on digital services for more than usual, with hybrid work environments, online shopping and digital banking the norm for many in lockdown. Strong passwords and robust password practices are the absolute minima for securing online identities, but time and again, they’ve been proven inadequate as a single line of defence. 

Passwords have grown beyond anything that we could have imagined from their humble beginnings in small, internal networks where there was an inherent level of trust. Now, we use them all the time, and they’re no longer up to the task. Enterprises have realised this – arguably too late – but passwords are so deeply embedded in processes and systems and user psyche that people continue to rely solely on them. 

Risky password practices

Yet, research shows us that 39 per cent of people reuse passwords across workplace accounts and, even more worryingly, that 51 per cent sometimes or frequently share passwords with colleagues. These are risky behaviours that leave enterprises vulnerable should a password become compromised. 

Even passwords that meet the criteria to be considered strong, by being unique and complex, have weaknesses. They’re not invulnerable to modern phishing attacks, and their apparent strength is wiped out if people write them down on a post-it note or document that can be accessed easily. 

It’s easy to blame the user for all of this. People are told that they should choose unique and complex passwords. They shouldn’t keep a record of them anywhere. They should change them regularly. Such an outlook completely misses the point of the user experience. Authentication should be frictionless. Strong, yes absolutely, but also usable otherwise, people will find workarounds to do what they need to do. That will involve keeping records of passwords, reusing them and even sharing them.  

World Password Day should be a wake-up call 

It is time to strengthen authentication practices and put the needs of those being authenticated at the heart of a new approach. Enterprises should deploy multi-factor authentication (MFA) in their organisations because it uses more than one way to confirm a user’s identity. Typically, a password is still the first check, but this is supplemented with additional factors such as a one-time password (OTP), a security key, or a biometric identifier such as a fingerprint. 

Fortunately, there are signs of MFA progress. Nearly three-quarters (74 per cent) of respondents to a Yubico/451 Research study said their organisations plan to increase spending on MFA this year. They are deploying mobile OTP authenticators (58 per cent of respondents), biometrics (54 per cent), mobile push-based MFA (48 per cent) and SMS-based MFA (41 per cent).

The main driver for this is, of course, increased security. Yet, the same survey raises some alarm bells around the user experience. User convenience features low in the main reasons for adopting MFA – mentioned by only 16 per cent. In fact, the user experience was actually the main concern or drawback in deploying MFA for 43 per cent of respondents.

The MFA user experience

Enterprises should recognise the importance of usability in the take-up of enhanced security. After all, research shows most individuals will only adopt new technologies that are easy to use and that significantly improve account security.

The challenge is to balance heightened security with usability and convenience, and here, more needs to be done to achieve a meeting of minds between IT and users. While mobile apps and SMS-based MFA are popular choices among our surveyed managers and IT professionals, our earlier study revealed that 54 percent of individuals feel that SMS or mobile apps disrupt their workflow and 23 percent find them very inconvenient.

Hardware-based MFA security keys provide another way. Employees register their key with the applications and devices they use. When they log in, they present the key as part of an authentication process that proves they are who they say. This approach introduces something the user has into the authentication workflow instead of relying solely on something they know (a password) with all the shortcomings we know. Complex cryptographic actions occur in the background, proving not only that the user is who they say they are but that the service they are connecting to is also genuine. Advanced protection, for both the user and the enterprise, occurs, yet the user’s experience is a simple touch or maybe PIN entry.

READ MORE: 

Companies need clear IT security roadmaps to take them from current inadequate password practices to stronger security for better protection. Passwords have proven surprisingly resilient as digital has occupied an ever more central role in our lives, but they aren’t difficult to replace with the right technology. Now, given how work and home networks and flows are blending, it is time to act.  

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...