Many of us are naturally resistant to change. We don’t switch energy, broadband or mobile phone provider even though we know that other providers are cheaper and/or have better customer service. In the same way, we continue to make suboptimal password choices even though we probably know they are suboptimal.
The National Cyber Security Centre recently revealed that 15% of British people use their pet’s name as a password for online accounts, 14% use family members’ names, 13% go for a significant date and 6% pick a favourite sports team.
This kind of information is nothing new. It was way back in 2004 that Bill Gates told the RSA Security Conference that “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
Seventeen years later, here we are still making up our own passwords and far too often featuring within them easily guessable personal information. But I think we are finally at the tipping point that will move us on to using passwordless authentication.
We’ve reached the tipping point
That tipping point is the mass working from home that necessarily became a fact of life for a large number of us a year ago. Overnight, employers had to make sometimes very radical changes, as people shifted to working from home often using consumer grade laptops, broadband and routers that brought fresh security challenges to be overcome. There was a mass move to cloud, and IT support teams had numerous different and novel challenges to work through.
Asking people to create strong passwords, and then to reset these regularly has always put a barrier between people and their work. Logging on becomes an irritation. Creating strong passwords is not exactly fun and people can be drawn to taking the easy option of using memorable personal information. I’m not criticising that – it’s human nature. Bringing two factor authentication into the mix adds a vital layer of security, and we are becoming much more used to it as a growing number of web sites – including those of our banks – now require it. Familiarity with two factor authentication as consumers is helping with its adoption in the workplace.
Passwordless authentication – the ultimate goal
But the ultimate goal for many businesses is passwordless authentication because here there is no need for users to set or remember a password. A physical security key is, in effect, your password. The key can be plugged into a laptop port, or function on a proximity basis in which case it only has to be near a computer to log you in.
IT teams can manage keys remotely, including disabling them if they are lost and updating security access levels for users as needed. People who are concerned about the security of any biometric data that might be required by the key – such as a fingerprint – being stored on servers can rest assured: passwordless keys don’t have to upload biometric data to a server.
Passwordless authentication has offered benefits like these for a long time, and logic suggests mass adoption should have happened long ago. But our natural inertia has stood in the way. Now, the shift to mass working from home has made both IT teams and individual computer users open to change.
As organisations consider what the future of work will look like for them, from 100% home working to 100% office based and all manner of hybrid options in between, passwordless authentication may well have found its time.