In the past, passwords were the key to accessing systems and platforms, and they held much value as a security measure for businesses. But over time, the threat landscape has evolved, and weaknesses have been discovered in standard encryption methods that have diminished the password’s value. In fact, recent research found that 73% of Americans lack confidence in the security of their passwords.
Regardless of how consumers feel about passwords, however, there’s a more significant issue at hand. And that is the fact that passwords provide zero authentication that the user entering the password is the actual owner of that account.
This flaw opens businesses up to increased security threats and risks. How can businesses ensure it’s the right person accessing their networks? What measures need to be taken to provide more comprehensive security solutions?
Taking the First Step
To start, it’s essential to consider the role passwords currently play in enterprise security. For many users, the familiarity of entering a password offers a sense of security and comfort. It’s been the status quo for years, and change is hard for many users.
Knowing this, business leaders need to focus on layering additional security measures and controls that can work in tandem with the password rather than dismissing the practice altogether. In doing so, they’re able to bolster the analog method with fully digital techniques. These measures will allow businesses to begin authenticating users on the back-end through additional controls.
Even the government is getting on board as more awareness is being brought to the password problem. In early May, following the large-scale cyber-attacks on the Colonial Pipeline, SolarWinds, and the Exchange Server, President Biden announced in an executive order that government agencies must implement multi-factor authentication (MFA) based on risk and a Zero Trust security network. Even in the more slowly moving public sector, the need for a change is clear.
Introducing Identity Verification
Over the last few years, as scams, fraud and social engineering have increased across the board, it started to become clear to everyone that passwords are weak defensive measures. As a result, many organizations began introducing authentication methods like one-time passcodes (OTP).
However, that only served to create yet another channel for fraudsters and still failed to authenticate or verify the user. Furthermore, these methods make an additional (often irritating) step for the user, which (when possible) will be turned off for convenience. Worst case scenario, consumers abandon their shopping cart, and employees send frustrated help desk tickets (which hits productivity) because the repeated verification process is seemingly too arduous.
Next came the emergence of physical biometrics. This all felt incredibly futuristic and cutting edge when consumers could use fingerprints and facial scans to access their smartphones, but flaws in the methodology became apparent once again. Users can face the same level of friction as with OTPs; facial recognition technology is not perfect and is limited based on having the latest, premium device.
However, the more significant issue is that physical biometrics are intrusive and use personally identifiable information (PII), so permission is required to collect, store and process this method in many countries. This creates concerns from users who want to know how this data is being used, secured and creates a barrier to adoption.
The Path Forward
As businesses look for the best technology to both protect their customers and the organization itself, a new method stands out above the rest.
With behavioral biometrics, businesses can gather contextual information about an individual, such as how they hold their phone, the keystroke patterns to unlock their devices, and how they move their mouse. Unlike physical biometrics, which relies on facial recognition or fingerprints, behavioral biometrics passively gather data, adding no unnecessary friction to the user journey. Behavioral biometrics also can work across multiple devices and machines, so there is no need for highly specialized technology like a facial scanner or fingerprint reader.
What’s more, behavioral biometrics provide robust security while still preserving user privacy. By using the contextual data points of a user’s behavior, the data can be obfuscated, thereby enabling the user’s identity to be authenticated without the need to know or access any PII.
Once an organization has enough context to build a user’s digital identity, it can authenticate and authorize users against their own ‘normal’ behavior patterns. Because these behaviors are incredibly unique and difficult to mimic, businesses can move beyond a simple password to more easily identify genuine users and protect against fraud and bad actors.
That said, change is hard for many. As part of the effort to incorporate any additional security measures, businesses will also have to educate users on what behavioral biometrics are, why they are needed, and how they will impact the user journey. Doing so will help users better understand the inherent weaknesses of the password while simultaneously familiarizing employees with the new authentication methods.
The Key: Digital Identity Must Be At The Center
Other solutions like Zero Trust or the CARTA Framework can help prevent unauthorized users from gaining access to a company’s network, but they are not a complete solution. Of course, there is a verification component, but that does not authorize users. The only way to truly protect your organization and your users is to ensure that digital identity is at the center of your security strategy, passively authenticating at crucial points in the user journey with minimal or no added hoops for users to jump through.
The time when the password was king has long come and gone. As businesses and enterprises look to the future of security, digital identity lies at the heart of the solution. Accept no substitutes.