Not Ready to Let Go of Passwords? Here’s How to Make Them More Secure

We’re all tired of passwords. Employees are tired of remembering them, IT teams are tired of resetting them, and security professionals are tired of dealing with them as a major threat vector when it comes to data breaches. In addition to our frayed relationship with passwords, they also pose a threat to productivity across an organization. According to our Passwordless Future report, forgetting login details causes 37% of employees to be locked out of their accounts and 19% experience delays in their work.

Still, passwords remain a popular form of authentication when it comes to securing access to vital business resources and data. And while they are technically a sound form of authentication, they are often weakened by poor password hygiene. In fact, employees tend to forget three passwords a month, and 78% use insecure methods to remember their credentials—like using commonly used password ideas and then applying them across multiple accounts. This makes login credentials particularly appealing to hackers who are looking to access accounts and corporate data.

At Okta, we’re helping our customers move towards a passwordless future, but we know that it’s a process that takes time and buy-in from across the organization. So, what can you do in the meanwhile? To help you on your journey, we have four steps that you can take to better secure your authentication processes.

1. Implement real-time, secure password protection features

If your organization still operates largely with passwords to authenticate your users, there are a few features you can implement to help prevent credential-based attacks.

• Account lockout policies: Establish automatic account lockout policies that respond to scenarios where a hacker might be accessing an employee’s account, prompting a user to reset their credentials.
• Banned passwords: Develop a list of banned passwords so that your users don’t employ commonly used passwords (e.g. 12345, Password, or Qwerty) to secure their accounts. This will help prevent password spraying and resulting account takeover attacks.
• Attack simulations: Use simulations to determine where the threat vectors lie and establish password policies based on the results in order to prevent them.

2. Centralize your login experience

Implementing a federated login approach, such as single sign-on (SSO), is a simple way to address your password problems. While many people might think that SSO is just a password manager, that’s not the case. As the name implies, with a SSO solution, an employee only needs to remember one set of credentials to access all of the integrated workplace tools they need. To add another layer of security, modern SSO solutions are context-aware, assessing each login attempt based on the user’s location and device, what time they are attempting to log in, which application they are trying to access, and more. In this way, authentication doesn’t rely solely on a user’s password.

3. Adopt multi-factor authentication

To add another layer of security—and peace of mind—modern multi-factor authentication (MFA) solutions allow companies to minimize their reliance on password ideas. Depending on the MFA policies you choose to deploy, you can prompt users to input additional factors that prove they are who they say they are.

These factors can include the following:

• Knowledge factors: PINs or passphrases
• Proof of possession: Mobile authenticator apps (i.e., Okta Verify), hardware tokens, and one-time password (OTP) codes
• Biometrics: Facial recognition or fingerprint authentication

Risk-aware MFA solutions will also assess login requests for context, determining how many factors a user needs to input before being authenticated. For instance, if a user is logging in from the office network during working hours, they may be able to access the application with just their password. Meanwhile, if the login request is coming in at an unusual hour, and from a country that the user hasn’t logged in from before, the system would prompt the user to input another identifying factor.

4. Go passwordless

But the best way to secure your organization is by removing the threat vector itself. Passwordless authentication replaces traditional login credentials with other methods, including factor sequencing, WebAuthn, and more.

The benefits? For IT admins, passwordless authentication methods like WebAuthn and mobile authenticators offer a more secure approach to providing user access that can’t be phished, enhancing the company’s security posture. Retiring passwords can also support IT in lowering the total cost of ownership for IT, reducing the time and resources needed to set up and reset passwords and allowing the team to focus on mission critical tasks.

For employees, not having to remember and constantly update passwords for their many accounts allows them to enjoy an improved, seamless user experience that isn’t impeded by periodic reset policies. By reducing their risk exposure, employees are also able to better contribute to keeping the organization—and their own data—secure. That’s because passwordless authentication helps to drastically reduce man-in-the-middle, man-in-the-browser, and other replay attacks.

There are many things you can do to help build your organization’s security posture. Even with strong passwords being used, reducing the risk they pose to your business is a great place to start.

To learn more about how you can better secure your workforce from poor password practices, check out the following resources:

• The Passwordless Future Report
• How to Improve Security and Usability with Passwordless Authentication
• Passwordless Authentication: Where to start