The future of passwords is no more passwords

Earlier this summer I wrote about password management tools as way for both individual practitioners and enterprises to confront the issue of password security. This week I wrote a piece on the effectiveness of security awareness training programs and was reminded of the threats to enterprise security that are inherent in user credentials.

Many organizations continue to search for a solution to the password problem, which leaves me thinking, maybe the answer is no more passwords.

Did you know that the first computer passwords were invented by Fernando Corbató in 1961 to protect accounts on MIT’s Compatible Time Sharing System (CTSS)? A year later, though, “The system was hacked and the passwords stolen by MIT researcher Allan Scherr who needed more than his allotted four hours on the CTSS.” 

That’s according to Telesign’s June report, “Beyond the Password: The Future of Account Security,” which said, “In 2015, nearly 800 data breaches occurred in the U.S., exposing more than 169 million records. Compromised passwords were the port of entry for many of these attacks, in large part because consumers frequently reuse passwords on multiple sites, making these accounts particularly susceptible.”

[ ALSO ON CSO: Passwords continue to be a security problem ]

I had an email account hacked once. A friend knew all of the answers to personal questions and was able to change my password, gain access to my account, and send fraudulent emails. I knew someone else who did the same thing to an ex-boyfriend.

Yet, here we are almost two decades later, and companies are now being breached to the tune of millions of dollars because bad actors are using social engineering strategies to acquire the information they need to access user credentials. 

The findings of the report which surveyed 600 security professionals across 15 industries revealed that “Passwords may show up on the endangered list within the next decade. One-third of respondents predict their companies will eliminate passwords in one to four years and another third say passwords will no longer be used in five to nine years.” 

The report additionally highlighted that:

• Passwords are no longer sufficient alone to protect accounts
• Fraud is pervasive and the impacts are high
• Multi-layer authentication is standard practice for augmenting password security
• Use of behavioral biometrics is poised to grow dramatically
• Majority of companies will be using two-factor authentication within the next 12 months

In order to counteract fraud and address the problem of account vulnerability, companies are using multiple layers of authentication. “After username and password protection, the most common technologies implemented are knowledge-based authentication, CAPTCHA and two-factor authentication,” the report said.

What will also likely see growth as an effective tool are behavior biometircs. According to the report, “Behavioral biometrics has emerged as a secure, frictionless method to stop increasingly savvy fraudsters from hijacking legitimate user accounts.” 

As so many digital enterprises have to be cognizant of the user experience, they are interested in exploring the benefits of behavioral biometrics, which have the ability to increase account security without compromising user experience.

“The technology works by recognizing users based on their behavior patterns, such as keystrokes, mouse dynamics and screen interactions. It then uses these patterns to identify anomalies between “approved” users and “bad actors.”

What holds most companies back from implementing these technologies is cost, which is always the struggle for security. While the report found that companies anticipate password extinction, they continue to rely on them and will have to until a more effective and economic solution becomes available.

Two-factor authentication and biometrics are only two technologies that hold promise, but surely there will be many more to come before the password is retired all together.