Passwordless Security: Balancing the Need for Security With Convenience
Passwordless security in the form of biometrics, behavorial authentication and single sign-on may soon end the use of multiple passwords.
We all want access to data when we need it. Nonetheless, organizations must ensure that the appropriate security protocols exist to prevent unauthorized access. Inevitably, most businesses struggle to find the right balance between the need for security and the desire for convenience.
Enter passwordless security, which allows users to avoid submitting multiple passwords in favor of another means of authentication such as a fingerprint or a retina scan, commonly referred to as biometrics. Alternatively, some businesses adopt behavioral authentication, which captures and analyzes how a user interacts with an application, and grants access based on the degree to which it matches with a user's previously recorded activity.
A variation of passwordless security known as single sign-on, authenticates a user once, then grants access to previously-authorized applications, therefore eliminating additional prompts to enter passwords.
So what's driving the changes in how businesses authenticate users, and how might the implementation of single sign-on or passwordless security impact an organization's security? Furthermore, is there a return on investment that comes from removing or minimizing the use of passwords?
Ending the Trade-Off Between Safety and Security
Given the emergence of passwordless security, Frank Villavicencio, head of product, security management services at ADP, sees major changes on the horizon in how organizations secure their data. "For many of us who have been in the security space for a long time, there's always been a trade-off. You increase security at the expense of convenience, and visa versa, you relax security to gain convenience," says Villavicencio. "Now, we live in a different world today where the two can be balanced in a more optimal way, so you can have both. You can increase security and convenience at the same time."
The Trouble With Passwords
One of the catalysts for the rise in alternative means of user authentication stems from the many flaws inherent in the use of passwords. Sophisticated and novice users alike tend to create easy-to-remember passwords, which plays into the hands of cybercriminals. In fact, Forbes reports that criminals already have access to the passwords they need to access data on corporate networks. In addition, complex passwords that prove harder for thieves to crack are hard to remember, and therefore have a short shelf life. And there's nothing to stop an employee using the same password across multiple sites, so when a breach takes place, criminals have in their possession the credentials to gain access to more than one site.
We're All Going Mobile
In addition to passwords becoming increasingly fallible, we're abandoning desktops and laptops for smartphones and tablets. In fact, as you read this article, there's probably a mobile phone within arm's reach. According to Fortune, Apple reports there are more than 700 million iPhones in use today. Not surprisingly, given the proliferation of such technology, if a business hasn't jumped on the mobile bandwagon already, they'll probably do so soon. Business clients that Villavicencio works with often stress the importance of mobile platforms on a daily basis. "For them, anything that is not mobile ready, mobile friendly — it's a nonstarter," he says.
Unlocking an Immediate ROI
Yet despite the need for a more robust approach to user authentication, and the explosion in mobile usage, businesses continue to adopt passwordless security, as it pays to do so. "The reason we're seeing so much adoption and willingness on the part of our clients to adopt this paradigm is the immediate ROI," Villavicencio says. He believes businesses receive a "hard" ROI and a "soft" ROI.
With respect to the hard ROI, he attributes most of the savings to the avoidance of tech support calls and increases in user productivity. "We find that an industry standard of $20-30 per support call can be avoided if you don't have to reset a password," he says. Just as importantly, employees locked out of the organization's system lose productivity, and those costs add up when you have a large user population.
As for the soft ROI, in Villavicencio's view, abandoning traditional passwords creates a better user experience and improves employee engagement. However, he believes HR and IT must work together to unlock the benefits. "It's essential that they think about the user experience and leverage each others competencies," Villavicencio says. "For that," he adds, "the partnership with the IT department is essential."
Regardless of the method used, passwords may be on the way out. Whether a business adopts single sign-on, or other means of authenticating users, in the not too distant future, we may all be entering passwords less frequently.