How to prepare for a world that doesn’t require passwords
Image Credit: Andrey Suplov // Getty Images
Meet top executives in San Francisco, July 11-12, and hear how they integrate and optimize AI investments for success. Learn More
While businesses spend billions of dollars annually on cybersecurity solutions, we still see an increase in security breaches. While we hear about the most notable cases, there are many others that can be just as damaging for businesses at all stages of their growth.
Why is this happening? The simple answer is that, regardless of how secure your security infrastructure is, most breaches today are caused by compromised login credentials. The password, which was created to protect against cybercriminals, is fundamentally flawed. It relies on human behavior to function.
There are some good news. Recent industry developments suggest promise in addressing this “password issue” with a new type login that can replace passwords, the weakest link in cyber defense chain, with un-phishable passkeys and frictionless logins.
Cybersecurity has been a problem in tech for a long time — a constant concern throughout the last 30 years of work at companies like IBM or HubSpot. This milestone allows us to refocus on cybersecurity basics and discuss how investing in this area could impact organizations, regardless if they are in the same industry or at different stages of growth. A breach can result in costly penalties, a tarnished image, low employee morale and even a damaged executive reputation.
Join us in San Francisco July 11-12 for a discussion with top executives about how they have optimized AI investments for success and avoided common pitfalls.
We are in the midst of the next wave in authentication technology. Here are three things you can do to prepare yourself and your company for the next wave of authentication technology.
For tomorrow’s passkeys, think passwordless today
As the CEO of a security firm, I am more aware of password hygiene than the average person. However, I must admit that I have fallen into bad habits in the past.
I grew up in Louisiana and was a huge football fan. I remember setting up my first password. I wanted to choose “LSU” but it required at least six characters. I now know that this is too little so I chose “ELESHU”. Although I no longer use that password, humans are still tempted to take shortcuts that could expose their companies and themselves to security risks. This is why hackers have made phishing an increasingly popular attack vector to steal user credentials.
It shouldn’t surprise that password elimination has been the goal since inception. What is a passkey and what makes it different? A passkey is a passwordless credential that allows the website and authenticator to communicate by exchanging keys. These can’t be accessed or seen by humans, eliminating all human-related risk of password misuse.
Passkeys can’t be left behind, and you don’t need to worry about creating unique passwords. Passkeys are based upon public-key cryptography and, unlike passwords that rely on shared secrets stored on servers, they don’t store them. Passkeys are not phished. They are only accessible by humans who can type passwords anywhere, even accidentally on websites like facebok.com.
Although it is difficult to change human behavior, we can change how we approach authentication. Passkey-based authentication is only supported by a few websites, but we don’t need to wait for widespread adoption. Passkeys will not become mainstream until then. Passkeys can be used to experience passwordless authentication via biometrics or via apps such as Discord and Whatsapp that use QR codes to allow cross platform logins.
Adoption at work will be fueled by consumers’ behavior
Next year will mark the tenth anniversary for the FIDO Alliance, an industry group that has been working on this issue. Their initial focus was on consumer applications and not business applications. This is understandable because our employees are also consumers and their online behavior will influence how they interact at work.
Overall, I believe there has been a significant shift in business software, especially security software. The user experience must be consumer-grade to encourage adoption and to ensure the wide availability of passkeys for signing-in to various online services. Passkey technology’s early stages are geared towards consumers, but there is plenty of business problems that passkeys can address for any stage of growth.
Internet users manage more than 200 logins to different accounts on average. With that many logins, it takes just one click, one convincing email phishing or one forgotten password to destroy an entire organization. Remote work has seen a rise in the number of tools and applications used by teams every day.
As workplaces become more digitalized and distributed, the area we make vulnerable to hackers grows. Passkeys, a phishing-resistant solution, addresses an obvious and urgent requirement. Microsoft, Apple, and Google have all launched passkey solutions recently.
Do not throw away your passwords!
Most popular websites plan to deploy passkeys by the end of 2023. Early adopters like PayPal offer passkey support for payments. Websites (like Paypal) will be able to support both passkeys and passwords during the transition period. This hybrid phase is crucial because the switch will not happen overnight. Even companies that are diligent in enforcing multifactor authentication (MFA), are falling prey to disruptive attacks. We will not be able to use passkey technology until then, so we recommend combining good password hygiene with MFA.
Ensure that your organization understands why you are moving from MFA and passwords (which may have felt like a pain point in the past) to passkeys — the most secure and trustworthy way to live and work online.
JD Sherman is an advisor to Dashlane and a board member.
VentureBeat is a community for you!
DataDecisionMakers is a place where experts, including technical people, can share data-related insights, and even invent new ways to use them.
DataDecisionMakers is the place to go if you want to learn about cutting-edge ideas, up-to-date information and best practices, as well as the future of data and tech.
You might even consider writing your own article!
DataDecisionMakers: More Information