In January 2019 The Ponemon Institute published a report on the State of Password and Authentication Security Behaviors – a report sponsored by authentication hardware manufacturer Yubico.
The report offers additional proof for how passwords continue to compromise privacy and security for both users and businesses.
From our perspective at Secret Double Octopus, the Ponemon report echos a lot of what we’ve been communicating on the Octopus Blog – password-based authentication is insecure and inconvenient, and that going passwordless is the only way to remedy these problems.
Going passwordless negates the threat of credential theft–no passwords means there are no login credentials to steal in a phishing campaign.
Some fifty-one percent of those surveyed in the Ponemon study reported being targeted by phishing attacks. That figure represents a huge liability for companies, as it means that over half of their personnel will become potential entry points into their network and applications.
Time Spent on Logins and User Experience
When deploying a better authentication solution that improves security, user experience is critically important for its success. Requiring employees to deal with time-consuming and cumbersome authenticators is simply a bad idea.
According to the Ponemon report, quite a bit of time is used to login with a username / password system. Nearly eleven hours are spent by every employee every year on entering credentials. Similarly, fifty seven percent of survey respondents expressed a preference for passwordless options because they are perceived to be easier to use.
One of the biggest liabilities for companies using password authentication is the cumulative costs of troubleshooting password-related problems. Password resets–because they were forgotten or simply needed to be refreshed–places a tremendous burden on company IT and accounts for as much as half of all help desk calls.
According to Forrester, the cost of a single password reset averages $70.
Highlighting just how common (and detrimental) lost passwords are, a whopping sixty-two percent of Ponemon survey participants said that they had failed to execute an online transaction or other operation because of password issues.
Password sharing among users is another reason for concern. If passwords do not uniquely identify a particular user, then what’s the point in having them.
Ponemon reported that sixty nine percent of users have shared passwords with others in the workplace. Forty six percent said they do so with regularity.
Harnessing the Bring Your Own Device Approach (BYOD)
The Ponemon report provides ample evidence why passwords are insecure and inconvenient. It is therefore a foregone conclusion that going passwordless is probably the way to go if your goal is better security and usability.
To ensure your passwordless authentication initiative is also cost-effective, it is best to stay away from any solution that requires you to procure and deploy new hardware.
Bring-Your-Own-Device, or BYOD can help provided companies with the technology to use an unmanaged device securely and effectively.
Mobile devices today make deploying an authenticator app to an employee’s mobile device extremely simple. Even more important is that employees easily adapt to it as well. Low level maintenance tasks such as updating the app are also simple.
But ensuring its security and integrity as well as guarding its cryptographic secrets, is another story.
Securely provisioning secrets to an unmanaged mobile device and ensuring their safety over time is no trivial task. Companies need experts that understand mobile devices, security, and cryptography to carefully design and implement an authenticator that administrators can actually rely on.
The Octopus Authenticator of Secret Double Octopus provides a fully scalable and easily implemented solution for BYOD authentication across the entire network.