Have passwords really had their day?

Every company has to become a technology company in order to survive and thrive in today’s competitive environment. But while organisations are innovating and transforming, finding ways to better engage with customers, and protecting their people and data from a variety of threats, trust in technology is eroding due to new challenges. Organisations are under pressure to innovate quickly and issues with security, privacy and consent plague user confidence in much of the technology we rely on.

Traditionally, securing our online identity has relied on one key method: passwords. For decades passwords have been the gateway to our digital identities and what we do online, and for far too long we’ve been witnessing the failure of passwords. Okta has undertaken research that demonstrates how passwords are impacting our security and quality of our daily lives.

But, imagine a world where our security isn’t dependent on letters or numbers which can easily be manipulated. Where access to the things we need to live and work is so inherently unique, no one else could have the same two sets of credentials because they are linked to our personal identity.

2019 will be a turning point in security. Security will begin to be based on our individual identities and completely passwordless, and identity will play an essential role in enabling organisations to build with trust.

How Did Okta Produce the Survey?

Commissioned by Okta, Opinium conducted a survey of 4,013 workers across the UK, France and the Netherlands. Responses were collected in May 2019. We refer to this survey as “Okta’s research” and refer to the people who responded as “respondents".

Passwordless Security is a Reality

Trust and Identity

Trust is the new frontier, and organisations now more than ever need to prove they are trustworthy to their customers and their employees in order to be successful. The significance of trust has increased in the last decade as a result of increased data breaches, cyber-attacks and privacy issues due to pervasive tracking of our digital identities and monetisation of our preferences.

Identity is at the centre of trust. People are now paying more attention to their identity and thus businesses must pay more attention to how they treat identities.

For decades our identity and security have been intertwined, and we’ve used passwords to protect them. But the reality is that passwords have proven to be an ineffective method for enterprises.

The Challenge for Business

Passwords cause multiple issues for businesses. According to Verizon’s Data Breach Investigations Report in 2018, 81% of hacking-related breaches were as a result of weak, stolen or reused passwords(1). And the consequences of a breach can be catastrophic. The average cost of a stolen record is $148(2), and the total cost incurred from a data breach averages $3.86m. Once breached, organisations could be struck again with a 32% likelihood of a recurring material data breach over the subsequent two-year period. Not to mention, the reputational damage is often irreparable.

While a cyber incident is the main cause of concern for enterprises when it comes to password use, there are other issues that we’ve found in Okta’s research which have a day-to-day impact on business processes.

Passwords are a hindrance to productivity. And with a sustained decrease in productivity, a business can fail to keep up with its competitors, and let down its customers who are expecting excellent customer services.

The Challenge for Workers

Okta’s research found that on average, respondents have to remember 10 passwords in everyday life, and forget an average of three passwords in a typical month. It’s well-known that the biggest security risk for employers are its employees – nearly half (49%) of organisations in all sectors face serious security incidents due to employee errors(3).

Worryingly, this doesn’t seem likely to change any time soon. According to Okta’s research, passwords containing sensitive information are changed infrequently, with work passwords changed only three times a year, and others such as bank accounts, phone PINs, personal emails and social media accounts changed just once a year on average.

So why are organisations still relying on a method which has been so far inadequate?

The reliance on passwords has led to organisations and software providers taking a tougher stance on the type of passwords allowed. Everyone has been confronted with a password screen which shows the strength of their chosen password, and the requirement for a mixture of numbers, uppercase and lowercase letters, and special characters. But this alone isn’t enough to help security – and in many cases even these measures haven’t been put in place.

Passwords: The Ideal Targets for Cyber Crime

According to the UK’s National Cyber Security, 23.3 million compromised email accounts used ‘123456’ as a password, while millions of other users were using the term ‘password’4, their favorite soccer team or band as their passwords.

Regardless of a company’s best efforts to raise awareness around strong passwords, users will still resort to using a password that they find easy to remember, most likely because of the large number of passwords they need to remember.

For many years, passwords were been seen an adequate security measure, and the cost compared to alternatives was low. There have been many cases of a false dawn; where those in the technology industry claimed that passwords would be no more. The difference now is that there is both a growing security need to change the status quo, and perhaps more importantly, technology and solutions that can finally mean a dawn of a new passwordless era.

The Hidden Problem with Password Security

Passwords and Mental Health in the Workplace

Over the past several years, we’ve witnessed society invest in understanding and addressing mental health, but we’re just starting to discuss mental health at work. Recent research(5) suggests that as many as 1 in 6 young people will experience an anxiety condition at some point in their lives, and last year, an American Psychiatric Association (APA) poll, found that almost 40% of Americans were more anxious than they were in 2017. Anxiety is on the rise in the workplace due to a number of factors, but security is one that has flown under the radar.

The Mental Pressure of Passwords

People worry about forgetting passwords, but forgetting a password itself is not a security risk. The majority of hacking-based breaches are a result of reused, stolen or weak passwords, it’s riskier for individuals to use insecure passwords and memory aids than to forget and reset:

What’s the Alternative to Passwords?

Innovation and Integration

Technology innovation over the last decade has given businesses a myriad of new opportunities to approach security in different ways. Now, organisations can combine methods such as biometrics , with traditional methods that are still secure, and remove inadequate practises altogether. After years of false predictions, there is finally a light at the end of the tunnel for a passwordless future.

View of the Future: Biometrics

Biometric authentication leveraging fingerprints, eyes, faces and voices was introduced primarily to offer better protection against unwarranted access to accounts or systems. Unlike usernames, passwords and pin codes, the data is unique to each person.

Biometric authentication is becoming more widespread on personal and work devices, while enterprises are also deploying their own biometric security measures.

Focusing on Education

There is work to be done to address misunderstandings on how modern biometric technology works and build trust.

For example, many employees may incorrectly believe that using Touch ID or Face ID on an iPhone or iPad or Windows Hello For Business would enable an enterprise to access their biometric data at will. In fact, the biometric data is highly secure and not available to external parties, or even to the device’s own operating system. Instead it’s deeply embedded in the security hardware of the device (such as Secure Enclave or Trusted Platform Module), meaning not even Apple or Microsoft can access it, let alone an employer.

It is up to organisations and those developing biometric technologies to demonstrate how the data will be kept secure, and evangelise the benefits and ease of implementing the technology, to reduce initial reservations.

Making Passwordless Possible Today

As organisations and people place more importance on identities and trust, there is a requirement to ensure our identities are protected. And we’re already seeing parts of organisations — be it employers, app developers, device manufacturers or IT security providers — increase the trust that the user has in them.

Okta’s research has found that the current and dominant method for securing apps, devices, systems and accounts is passwords — and this method is inadequate because passwords are susceptible to hacks, encourage insecure behaviour from users, and cause stress, anxiety and a reduction in productivity. It’s time to rethink the use of passwords.

We’ve seen how modern SSO solutions and strong, phishing-proof authenticators create a more robust and logical way of securing an enterprise. The same approach is necessary to making passwordless a possibility. Okta is helping to deliver a secure, passwordless future for enterprises that is easily implemented into any business, of any size, in any sector.

Okta is combining its leading Single Sign-On and Adaptive Multi-factor Authentication (MFA) capabilities with industry-standard authenticators with biometrics, which will enable us to replace passwords at organisations with a combination of a fully contextual risk assessment and WebAuthn authenticators that are highly resistant to phishing and can’t be circumvented or cloned.

Organisations can leverage the devices that people are already carrying in a highly secure way that still respects their privacy and doesn’t leak any information about who else they might be communicating with or which apps they may be using.

How Did Okta Produce the Survey?

Commissioned by Okta, Opinium conducted a survey of 4,013 workers across the UK, France and the Netherlands. Responses were collected in May 2019. We refer to this survey as “Okta’s research” and refer to the people who responded as “respondents".

(1) https://enterprise.verizon.com/resources/reports/DBIR_2018_Report_execsummary.pdf

(2) Ponemon Institute’s 2018 Cost of a Data Breach Study

(3) https://ics.kaspersky.com/the-state-of-industrial-cybersecurity-2018/

(4) https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

(5) hhttps://www.anxietyuk.org.uk/

Getting Started with Your Free Trial

To discover how easy it is to deploy Okta and to begin securely scaling your cloud-based applications, visit www.okta.com/uk/free-trial to get started today. 

About Okta

Okta is the leading independent provider of identity for the enterprise. The Okta Identity Cloud connects and protects employees of many of the world’s largest enterprises. It also securely connects enterprises to their partners, suppliers and customers. With deep integrations to over 5,000 applications, the Okta Identity Cloud enables simple and secure access for any user from any device.
Thousands of customers, including 20th Century Fox, Adobe, Dish Networks, Experian, Flex, LinkedIn, and News Corp, trust Okta to help them work faster, boost revenue and stay secure. Okta helps customers fulfill their missions faster by making it safe and easy to use the technologies they need to do their most significant work.
Learn more at: www.okta.com/uk