Remember the last time you forgot a password and had to reset it? Annoying, right? Maybe you’re finding it doesn’t happen as much as it used to though. Data security experts have been working on improving the way applications authenticate users for many years. Today, all kinds of businesses from retail banks to ad exchanges are implementing a range of security solutions that go beyond a one-step password process.
In this guide, we’ll examine a few of those. We’ll also take a look beyond, at what the future of passwords holds in store. But why is all this change necessary? Well, here’s the thing: passwords pose a few problems.
The problems with passwords today
We’ve reached a point in the evolution of the web where passwords are becoming more of a problem than a solution. Most obviously, they represent a pain point in the user experience. They can be difficult to remember, particularly when we have to use so many to access different sites.
But that’s not the biggest problem. The most significant issue with passwords is that they are now the weakest link in the digital security chain. According to Verizon’s 2021 DBIR report, over 80% of security breaches are due to weak or compromised passwords.
All this results in the following conundrum. Passwords that are short enough to remember can easily be hacked. And passwords that are long enough to be secure are difficult to remember. This leads to people reusing the same password across multiple sites, which in itself increases users’ vulnerability to cybercriminals.
Evidently, this poses a tricky challenge for modern businesses. You could be using the the best customer support software, but all it takes is one data breach and you’ll lose customer trust. So how can companies make sure they’re keeping their customers’ details safe? Well, if it were an easy problem, it would have been solved already. But even today we’re seeing signs of a budding revolution in how we access data and keep it secure.
The future of passwords has already begun
What’s becoming obvious is that data security is developing along two parallel paths: business-oriented, and consumer-oriented. That is to say that many businesses already have enhanced solutions in place that are too tech-intensive and cost-prohibitive to be used by private individuals. There’s a crossover, of course, particularly in the B2C space.
Today, most businesses are well aware of the need to focus on data security and web app security testing. Here are a few alternatives to passwords alone that are already widely used:
Single sign-on (SSO)
This authentication method allows users to sign in securely once to multiple independent but related sites. When a user signs into a site, it sends a token to a centralized SSO system requesting authentication for that user. The system then sends a positive authentication token back to that site. When the user then moves to another application, the token is passed to the new site. This means the user only has to sign in once.
You may have logged into sites with Facebook or Google. This is essentially the same principle.
Overall, SSO is a popular choice for several reasons. First, it makes the user experience very smooth. And from the administrator’s perspective, it makes everything more straightforward. Changing password complexity requirements across the whole network is much easier, for instance. And when someone moves on from the company, their access to multiple applications can be removed in one fell swoop.
The initial sign-in can use a number of methods, from a basic password to multi-factor authentication.
Multi-factor authentication (MFA)
Multi-factor authentication has actually been around a while. The basic concept involves using a multiple-step process to prove you are who you claim to be. Have you noticed that it’s becoming less common to be asked for your mother’s maiden name as a security check? That was an early version of MFA, but it was too easy for criminals to hack.
In a world where business text messaging is commonplace, it was simple to find a way to improve this process. Nowadays, most companies favor using a code sent to your device by SMS message to confirm your identity.
However, nothing stands still for long in the world of data security. It seems that using SMS messaging for MFA authentication may be coming to an end. There’s been an upsurge in criminals hacking the SMS step of this process by porting phone numbers to new SIM cards and getting hold of MFA codes that way. If you’ve noticed more and more companies requiring you to use dedicated authentication apps, this is why.
I don’t know about you, but password managers from the likes of Google and Apple have made my life about 1,000 times easier. Long gone are the days when I had to reset some password or other with irritating regularity. They’re a neat way of meeting the challenge of storing multiple long, complex (and therefore secure) passwords without the user having to remember them.
Of course, if you take an interest in the digital security space, you might see a problem with this. There’s no doubt that the convenience of password managers is their greatest selling point. But they can also foster consumer dependence on the big tech ecosystems. After all, there’s no need for the big tech giants to conduct RFM analysis if they know users will keep coming back because they can’t live without a password manager.
What’s more, password managers don’t actually solve all the problems associated with passwords. That’s because they are essentially just big, encrypted vaults full of passwords that can be accessed with…a password. So while they do add a layer of security, they’re not game-changers.
One simple alternative that keeps to the basic principle of using a password but is more secure is passphrases. These are just longer passwords made up of phrases that are much easier to remember but are also difficult to hack.
For example, the passphrase “Batmanatemysandwichlastwednesday” is much less intimidating to memorize than “GL4%!d9Ip;4^5H”, right? But because the combination of words used in the passphrase is unique, it’s very difficult for cybercriminals to guess.
However, many sites still impose 12-character limits on passwords. This is one of the UX design mistakes it’s vital to avoid. Increasing the character limit to encourage passphrase use would be an easy, low-cost way of improving security.
This is where the futuristic element really ramps up. For many years, the data security industry has been investing heavily in biometric research. In fact, the Biometrics Research Group estimates that the global biometrics market will be worth nearly $78bn by 2026.
It’s easy to see why. Being able to deliver secure authentication without any need for a password at all has long been the dream. Now, we’re seeing it become a reality with applications using facial and fingerprint recognition. Nevertheless, the tech isn’t quite perfect yet. If an individual’s appearance changes—say, because of injury or because they’re wearing a face mask—the authentication process will fail, and a password or PIN will have to be used as a fallback.
But in the medium term, the biggest barrier to biometrics taking over completely is more likely to be consumer resistance than tech constraints. Concerns around the death of privacy online are not unusual.
The Dazzle Club is a collection of artists in London, UK, who paint their faces in jarring, asymmetric patterns to outsmart facial recognition tech. They meet once a month just to wander around the city for an hour, protesting public surveillance. For now, this is not typical of consumers’ reaction to biometric tech more generally, which remains broadly positive.
Nevertheless, it’s possible that this kind of mistrust could become a problem. Not all consumers are being won over by the convenience of these systems. Businesses in the biometric space
should be using robust hybrid business communication processes to engage their customers. Allaying any fears about how the tech will be implemented is key.
The further future of passwords
Many experts say that the ultimate aim is to get rid of passwords altogether. What might that look like?
Given the inherent security flaws of user-generated passwords, the next stage in data security will involve different forms of user identification. We’ve already mentioned biometric authentication via facial or fingerprint recognition technology, which will become more reliable with time. But there are other intriguing possibilities.
Retail giant Amazon is already testing out software that measures your typing speed and the pressure you place on your keypad as a way of identifying users uniquely. This is one example of identification via user behavior, a genuinely innovative approach. Some of these systems will detect physical behavior like typing style or posture. Others will use behavior patterns such as how you search for information.
These systems will only challenge you if they detect any behavior that doesn’t fit with your profile in some way. At that point, you may be asked for a password or some other identifying input. If this kind of tech can be perfected, it would be liberating for users. It would also give the cybercriminals a real headache.
Or rather—it would for a while, at least. The truth is that data security will always be a continuous arms race. As data security technology advances, malign actors will try to develop ever more ingenious ways of getting around it.
Passwords may not be perfect, but they are cheap to implement, easy to reset and everybody’s familiar with them. The way we use them will evolve in the future, but it is likely to be some time before we leave them behind for good. Furthermore, you can also learn more about antiviruses, web security and technology on Cover Junction.
Jenna Bunnell – Senior Manager, Content Marketing, Dialpad
Jenna Bunnell is the Senior Manager for Content Marketing at Dialpad, an AI-incorporated cloud-hosted unified communications system that provides valuable call details for business owners and sales representatives. She is driven and passionate about communicating a brand’s design sensibility and visualizing how content can be presented in creative and comprehensive ways. Check out her LinkedIn profile. Jenna Bunnell has also written content for MacSecurity and Shift4Shop.
Do follow our LinkedIn page for updates: [ Myraah IO on LinkedIn ]