The false hope that passwords are secure and usable
- 95% of logins still use passwords
- 90% of people would chose not to use MFA
- 80% of all breaches are caused by passwords
- 75% of enterprise users don’t want to use authenticator apps
- 75% of people will abandon a shopping cart if they fail the authentication
- 91% of people understand the risk of password reuse but 59% do it anyway
- 65% of people reuse passwords (13% use the same for all sites and services!)
- 55% of people do not change their password after a breech
- 40% of people recognised they have been breached and 47% of those have lost money
- 38% of uses don’t have a mobile phone present
- 20% of people abandon a site with just a 1 second delay in page loads
- 19% CAGR password manager growth from 2017 to 2025
Do I need to go on? The best security in the world is useless if people circumvent it or worse yet, avoid it altogether by going to a competitor.
Over 25 years ago, the world changed when we were introduced the internet and email, and since that date, it became clear that the password no longer provided adequate security. Yet today, it’s estimated that there are over 300 billion passwords in use and they are still used in over 95% of all logins.
Why? Is it because we don’t have any alternatives? Modern alternatives have existed since before the earliest days of the internet. SecureID was released by Security Dynamics in 1993 and software tokens were introduced more recently in 2002. Of course nowadays we probably hear of at least one “new” solution coming out each month.
The problem isn’t the lack of secure alternatives; it’s that relative to other forms of authentication passwords are familiar to users. Think about that RSA Secure ID token you’ve used for your bank account. What would you say if your supermarket, or online newspaper required you to use the same? You wouldn’t say anything, you would go to another supermarket or another newspaper.
Usability
Think of these things as the “Usability” of a technology, both in terms of the end user who authenticates and also the service provider who rolls out the service. Your choice of authentication technology is based on far more than just security. You have to think about Simplicity, Deployability and Affordability.
Simplicity:
If it’s hard for the user to operate, or prone to errors then your users will seek alternatives.
It’s not just a matter of what you think they can handle, nobody likes to be challenged when you simply want to access a service. You need to consider what you users will understand and what they will feel comfortable with. After all, they’re already paying you once. Why do they have to jump through hoops and clear hurdles when your competitor realizes they can provide a more user friendly experience and just ignore security altogether?
Modern password complexity is driving users to re-use passwords. 91% of people understand the risk of password reuse but 59% do it anyway because of two reasons:
- They don’t really have a choice because nobody could remember 150 unique, complex passwords, and
- Most consumers figure the site will insure them against any losses.
The point is whatever you choose to use, you have to make sure your users are just as happy as your security team, otherwise your security team will be very busy dealing with the fallout of users working around your security.
Deployability:
Security and simplicity mean nothing if you cannot deploy it.
If it’s complicated to introduce or only works in a subset of situations or devices, then it cannot be “the” solution, but it’s more of “a” solution amongst many that you have to support.
Think of deployability in terms of :
- How easy is it for the users to meet the system requirements?
- Does the solution require companion hardware like a Mobile or Secure Key?
- Does your solution work on all operating systems and devices?
- Do your users have access to the infrastructure?
Deployability covers a large number of challenges for both the service and users - many of them can be quite subtle. After all, any user with a phone can receive a text message but not all users are in a service area. Likewise, I may be ok in my home grounds but what do I do on a business trip?
There is no question that smart-phone centric authentication is an improvement on the older style RSA Secure ID and far more secure than passwords, but it’s not a panacea for all problems. Getting 90% of the way there is also admirable but it’s not an answer for the remaining 10% which means you’ll either need to run two or more solutions or find another solution altogether.
Affordability:
The big question is if you can afford it.
Of course the total cost of ownership goes far beyond just a license fee
- Direct Costs: licenses, user fees, usage charges, infrastructure and equipment
- Operational Cost: setup and ongoing maintenance
- Support Cost: supporting your users can be one of the biggest single costs
- Penalties: the cost of failure
Some of these costs can be quite surprising. A recent HDI survey reported that 30% of the support calls in the enterprise are tied to password issues or password resets. Using some conservative figures, a 10,000-employee organisation can easily spend $100,000 USD/year simply on password management issues.
Consumers can have even more problems with passwords as some businesses report anything up to 50% or even 70% of all support calls are to do with passwords.
Usable and secure, without the SMS OTP
Why do you think 90% of users would choose not to use MFA if given the option? Because they’re already paying for your service and don’t want to pay in sweat just to pay you more.
Passwords still play a part in over 95% of log-ins across the world, yet since the early days of the internet, over 25 years ago, people have understood the fact that Passwords can no longer secure a world with near infinite interconnections.
Nonetheless they persist because passwords are familiar for users.
This leads us to the ultimate conclusion that “Usability” is a prerequisite and without it, security is meaningless. After all, what use is the best security in the world if nobody can or wants to use it?
So what does an ideal solution look like? It’s certainly not in the form of SMS text One Time Passcodes (OTPs).
SMS OTPs are probably one of the most widely adopted forms of authentication after passwords simply because many users have access to a mobile phone. Unfortunately SMS Texts don’t get you anywhere close to 100% coverage. For a start, Google estimated that 38% of users don’t have a mobile phone present when asked to authenticate. Increasingly there are situations where mobiles are not even allowed, such as the retail or factory floor, or simply do not operate due to shielding or perhaps the SMS Texts just cost too much.
The SMS issues don’t stop there. They also have a very high failure rate of around 15% and that is on top of the 5-15% failure rate you would typically expect from the username/password entry that it follows. So you might see anywhere from 20-30% of your users failing to authenticate using passwords with SMS. It makes the additional 15-60 seconds login delay and questionable security of SMS seem almost unimportant!
Relative to SMS OTPs, MIRACL Trust ID has:
- 1/20th the failure rate
- 1/20th the time to complete
- 1/20th the cost
- With or without passwords
It’s also the only MFA that will operate natively on any browser or device ensuring the highest level of security for all users. We can guarantee that if someone can access your service via browser or app, then they can authenticate with MIRACL Trust ID. No other MFA service in the world can make that claim.
To see highly usable and secure single-step MFA in action, schedule a demo here.
Michael Tanaka, CCO of MIRACL - has over 30-years’ experience presenting complex technologies and concepts to a diverse range of technical and business audiences.
References:
https://www.idagent.com/blog/10-password-security-statistics-that-you-need-to-see-now/
https://www.youtube.com/watch?v=Luqi12VWB3o
https://www.grandviewresearch.com/industry-analysis/password-management-market
