Does the answer to better security lie in password-less experiences?

Truly password-less authentication that lets users control personal details is key to avoid identity theft and data breaches.

Passwords have been a trusted and familiar method of authentication for years. Their convenience, however, also makes them easy to crack. About 20 percent of users will choose their birth year if asked to create a four-digit PIN, and similar habits abound with passwords. To our disadvantage, we’ve become so reliant on passwords that, even when data breaches occur almost daily, and we’re told to change our passwords, almost half of consumers do not heed that warning.

Passwords have failed to keep pace with the growth of online services on which we rely. Simply put, they do not offer the kind of protection needed from today’s fraudsters, who are growing more sophisticated in the way they exploit weaknesses in password security and usability.

Where are passwords lacking?

Much of this boils down to user habits when it comes to passwords. The average consumer is linked to about 90 online accounts that require passwords, making it virtually impossible for an individual to remember every password. In effect, users will recycle the same password across multiple applications, in accordance with a service’s policy (e.g. character limit). They’ll also use the same email across many services This is known as the credential reuse habit.

About 81 percent of major data breaches are caused by stolen or weak passwords. Hackers illegally obtain credentials through phishing or a prior breach – Equifax or Yahoo!, for example – which they will keep for themselves or make available for resale on the dark web. Fraudsters purchase password libraries and launch automated credential reuse attacks, matching passwords they’ve obtained against libraries at the application or unrelated applications. For instance, If Jane’s favorite retail account was hacked, and she uses the same login at her bank, Jane’s bank account is now at risk, even if the bank itself wasn’t breached and they have a strong security posture.

Attacks of this kind yield a 2 percent success rate. That may seem like a small percentage, but that amount equates to more than 46 million accounts being successfully hacked. With millions of credentials out in the wild thanks to massive data breaches, and hundreds of worthwhile applications offered by businesses (typically in financial services), the current cybersecurity environment will only get worse.

Another common, yet overlooked, cause is that both breached and soon-to-be breached enterprises often lean on centralized credential stores for customer, client and internal data. Relying on a single, central database makes sitting ducks out of user credentials – large quantities of passwords become easily available for hackers to sell and criminals to purchase, and then available for matching. For this reason, central databases, a.k.a. password stores, are a hacker’s favorite target. The same can also be said for bankcard numbers such as credit and debit card data. Credit card information – more popular than debit cards on the dark web – can sell between $5-$110, according to Experian, depending on the information tied to it (i.e. CVV, bank information, social security number, etc.).

From a usability perspective, password-less experiences are great. From a security viewpoint, however, they are really just convenience features layered on top of vulnerable systems, including those that are USB-based. In most cases, on-device biometrics simply unlock the device, paste in a password and action a key store. Internal company systems, like single sign-on (SSO), also masks the existence of a centralized credential store.

Will password-less experiences ever be enough to secure our data?

In order to implement true password-less experiences with overall better security, businesses must look to decentralized authentication. Decentralization eliminates the password entirely and enables a business or service provider to communicate with users through PKI (Public Key Infrastructure). PKI is a set of roles, hardware and software, policies and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and public-key encryption. In our connected world, PKIs create digital signatures to create unique credentials for people and devices, that can be accurately authenticated at scale.

A service provider’s app, for instance, can support decentralized biometrics or PIN numbers, that are owned and carried by, and known only to, the user. Whether logging in, verifying their identity, or authorizing a transaction, the system communicates with the service provider by sending a token, rather than the user’s biometric template (in any form, encrypted or not) or their PIN, over the internet and potentially unsecure networks. Users will have everything they need on their smartphones and other devices to conduct transactions, with no intermediary in the middle, putting control back where it belongs. This also eliminates the mass credential store on the business end.

To avoid identity theft and reduce the risk of a mass credential breach, it’s time for consumers and businesses alike to rethink the way we currently authenticate users. Traditional use, and storage, of passwords are no longer enough to keep our personal information, personal. Password-less logins are a good start, but in order to thrive in a world where our information is consistently threatened, it’s up to enterprises to implement truly password-less experiences that keep personal credentials in the hands of the user. If not, we can expect to see more of the same breaches.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.