Today, June 23, MIRACL hosts the second annual Passwordless Day - an excellent time to look at the state of online security today and why passwords should become a thing of the past.
Passwords are outdated
150 million people are using passwordless methods each month, and that’s a good thing. According to Verizon, over 80% of data breaches occur due to weak passwords. Companies dedicate 30 - 60 % of their support desk calls to password resets. As Joy Chick, Microsoft’s vice president of identity, pointed out: “As long as passwords are still part of the equation, they (the customer accounts) are vulnerable.” Merrit Maxim, Research Director at Forrester Research, even calls them “the cockroaches of the internet - they’re very hard to kill off. “
But the biggest names in tech invest in a future without passwords. Microsoft, Apple and Google have all developed some form of passwordless login, which they hope will soon become the norm. Microsoft has built support for passwordless authentication into their products and services. Its IT team switched to passwordless authentication, and now 90% of employees sign in without entering a password. As a result, the costs of supporting passwords fell by 87%. Apple now sells a USB drive for passwordless authentication, and Google has just announced that passwordless security is coming to Android and Chrome over the next year.
What does “passwordless” mean?
We are so used to the idea that accessing our online accounts means typing in a (hopefully) random set of numbers, letters and symbols that we rarely ask ourselves if there’s an alternative. A passwordless login means you provide other means of identification that are safer than a password. There are a number of those:
This method measures and analyses your unique physical and behavioural characteristics. Most people have already experienced biometric identification when using their smartphones - they ask for either a fingerprint or a face ID to unlock. Biometrics can either be device-based or cloud-based, which requires the user to trust how the irrevocable template of their biometric identity is being managed outside of their control in the cloud. Biometrics have one major drawback: Hackers can use the technology to replicate and steal a person’s identity. Once that has happened, it’s almost impossible to reset the system. After all, you can’t change your face or fingerprint that easily.
Here, a cookie is set in your browser. It remembers your password, so you don’t have to type it in again. Although that’s convenient, it has many drawbacks: A cookie only works on a single device or browser, and hackers can intercept them, especially on a public Wi-Fi network.
Authentication Link Sent to the Email
The user enters his email address and receives a one-time authentication link which they then have to click on. It’s a low-cost method but firstly, is highly susceptible to impersonation by phishing hackers and secondly, it requires users to open their email accounts. If a hacker has access to the email account, the authentication isn’t safe.
One-time password via SMS
This method is currently the most popular one. The users enter their phone number and receive a text message with a number in return. Then, they have to type this number to gain access. This is also highly susceptible to social engineering and SIM-swapping attacks plus it also requires the user both have a phone with reception and to switch between various applications, which takes up quite a lot of time.
HMAC-based one-time password (HOTP)
The algorithm creates a one-time password based on authentication attempts and a shared secret between the user and clients. As with the other methods mentioned, it isn’t safe from hackers.
Also known as social sign-in or social sign-on, it uses information from social networking sites so users can log into third-party applications and platforms. That could be platforms like Google, Facebook or LinkedIn. It’s a very convenient method but not without risks: if your social account gets hacked, you’ll also lose access to a host of other services.
USB token device
This physical device establishes a personal identity to access a network. It’s almost impossible to forge such a token but it’s easy to lose or forget it making it not the safest option.
Why shouldn’t you use a password manager?
In a world where, according to a recent study, 42% of IT specialists rely on sticky notes to store passwords, a single place to store all passwords sounds like a definite improvement. But that is its biggest caveat: one single password can open the door to all of them.
How do you implement passwordless authentication?
With MIRACL, going passwordless is easy. It supports all browsers and comes with native support for Android and IOS. That includes handsets up to a decade old. MIRACL is cloud-based, so you don’t need any companion hardware, apps, particular operating systems or firmware.
Ease of use
With no password to memorise and a single authentication method, your login process is sped up. Miracl is 5x faster than passwords, 10x faster than authentication apps, and 15x faster than one-time passwords. The result is that your customers stay on your page for longer and are more likely to purchase since you’ve removed the friction from their login experience.
Cost and scalability
Company owners know that excellent authentication apps can be costly for their business. MIRACL offers a scalable pay-as-you-go model that can grow together with your business. Our prices are one-tenth of the costs of other multi-factor authentication options.
MIRACL eliminates vulnerable password databases from the beginning. It uses a zero-knowledge-proof protocol that makes it resistant to phishing and data hacks.
This Passwordless Day, consider your options to increase your login success rate, decrease costs, and improve user security and satisfaction. A frustrated customer may be a customer less likely to buy. At MIRACL, we feel that companies don’t need to choose between sales and security.
To receive more information about MIRACL solutions, case studies and single-step MFA, subscribe to our newsletter.
To see how MIRACL can improve your company’s security while creating a painless login process for your customers or employees, schedule a demo here.