Will We Use Passwords in the Future?
The death of passwords is imminent. Maybe.
As Payments Cards & Mobile points out, experts have been predicting for years that passwords will quickly outlive their usefulness. What does the future of cybersecurity look like without passwords? What impact could this have on HR, compliance and employee performance? Let's break it down.
A Viable Replacement
Some of the most popular passwords of 2016 were "123456" and "password," according to Keeper Security. Yet it's well-known that users are better served by passwords featuring long, strange words or phrases that automated attack techniques can't easily guess. The problem? They're less convenient for users. According to CPO of Security Management Services for ADP, Frank Villavicencio, this represents a fundamental paradox since "security increases at the expense of convenience, and vice versa." Emerging technologies, however, allow security and convenience "to be balanced in a more optimal way."
But what replaces passwords? While biometric advances such as fingerprint scanners on mobile devices have managed mainstream adoption, organizations are understandably hesitant to adopt less-tested tools such as facial recognition or iris scanning. Users also have valid concerns about privacy and data use. Employees can change passwords on stolen accounts by providing proof of their identity, but what does this look like if cybercriminals steal the foundation of biological ID and then use it to take over accounts or create fake profiles?
As noted by Villavicencio, the shift away from passwords starts with mobile devices and the concept of "single sign-on" (SSO). He describes an ADP client with a "very mobile workforce" looking for an easy way that employees can "do everything they need to do through a mobile app." By creating a system that allowed users to log into Web portals and mobile apps using familiar corporate logins, Villavicencio and his team provided the critical combination of security and convenience.
So what does the adoption of SSO or biometric security measures mean for HR departments? What's the impact on day-to-day operations? As noted by Villavicencio, "there is a shift in responsibility, where clients are responsible for managing their own accounts." Under a typically-managed security solution, the provider is responsible for user account oversight; the implementation of SSO shifts this responsibility to enterprises.
But the move also comes with marked benefits, such as improved efficiency surrounding payroll, HR compliance and people management policies. This also ties into compliance: National and global rules about use and storage of personal data become top priority, especially if users are providing biometric details to gain network access.
The Productivity Problem
Mobile device adoption and the ubiquity of cloud computing have significantly increased the baseline tech knowledge of enterprise staff. As a result, they're able to solve many problems on their own without the need for IT experts. But when it comes to account and password issues, businesses understandably restrict employees from manually resetting login details or authenticating their own access. Instead, they require them to call IT for help. But as Villavicencio points out, this can hamper productivity since these calls "typically cost between $20 and $30." What's more, they pull staff away from current projects and force them to refocus afterward, lowering their overall efficiency.
There's also the issue of password fatigue; users often get frustrated having to remember multiple passwords just to complete daily tasks and quickly lose patience when technology doesn't work as intended. But as noted by IT Pro Portal, this kind of frustration can also occur with new security solutions if they don't provide a common experience across devices and platforms. Passwords remain popular in part because they're ubiquitous — they perform the same function, regardless of device or platform.
For Villavicencio, the future of cybersecurity starts with mobile devices, since effective security relies on "assurance levels" and in many organizations "the mobile phone will become your identity." This is critical for HR leaders since they face a two fold task —ensuring that employees have access to relevant personal data and keeping this data safe from malicious actors. Mobile-device-as-ID provides the foundation for basic access. Need to leverage higher-level functions? Organizations can implement two-factor authentication such as through the use of one-time codes sent to the mobile device.
Passwords aren't dead yet, but can't survive much longer. The evolution of SSO combined with mobile device adoption suggests a cybersecurity future that offers increased oversight for HR, improved convenience for users, and the need for a new outlook on transparency and compliance.
Stay up-to-date on the latest workforce trends and insights for HR leaders: subscribe to our monthly e-newsletter.