According to the Verizon Data Breach Investigations Report, compromised passwords contribute to 81% of hacking-related breaches, and password reuse is among the biggest contributing factors in password-related security vulnerabilities.
Password reuse, it seems, is no different from some of our bad habits—the ones we’re aware are bad but seem incapable of conquering.
These alarming statistics on password reuse should mobilize you to review and modify your cybersecurity protocols and policy:
- 52% of the respondents in a 2019 Google / Harris Poll survey reuse the same password for multiple (but not all) accounts, while 13% reuse their password for all their accounts.
- 44 million Microsoft users reused their passwords in the first quarter of 2019, Microsoft’s threat research team found during a scan of all user accounts, with 73% of passwords being duplicates, used in both personal and professional accounts.
- 76% of users recycle their passwords, according to a survey by Security.org, with 68% tweaking a previously used password.
The Main Reasons for Password Reuse
The reasons why people reuse their passwords have little to do with ignorance to the risks that the habit involves.
Rather, the habit of password reuse is sustained by these three interconnected major motivators:
- the need for convenience and efficiency
- fear of forgetfulness
- password fatigue
Most people are juggling several passwords. The need to manage all these data on top of multiple tasks at work and personal responsibilities can result in what is called password fatigue, which partly explains why a lot of people simply don’t have energy to come up with and manage multiple hard-to-guess passwords (which inevitably end up being hard to remember).
A Convenient, Multilayered Solution to Password Reuse
Businesses and individuals alike are far from doomed to live with all the inconvenience and risks posed by passwords and the management challenges that they entail. As a matter of fact, life without passwords has been a reality for a while now, beginning in 2013 when Google announced that it was done with passwords, or possibly earlier.
The key to a life without passwords?
Passwordless authentication—the method that enables users to log in to a computer system without having to enter a password or any other knowledge-based secret. That means no more need to remember, as well as juggle, passwords.
How passwordless authentication works
Passwordless authentication relies on a pair of cryptographic keys:
- The public key is provided during registration to the authenticating service—remote server, application, or website.
- The private key is stored on a user’s device and can only be accessed with a biometric signature, hardware token, or another passwordless factor.
In most common implementations, users have to enter their public identifier (registered IDs like username, mobile phone number, e-mail address, etc.) and then complete the authentication process by providing a secure and valid proof of identity.
The two classic categories of authentication factors are as follows:
- Ownership factors (something the user has): mobile phone, smart card, OTP token, or a hardware token
- Inherence factors (something the user is): fingerprint, voice, palm veins, complex iris/retina patterns, behavior pattern, etc.
In some implementations, a combination of other factors like geolocation, network address, behavioral patterns, and gestures are also valid options.
For sure, one factor that has no place in this method is passwords.
Passwordless multifactor authentication (MFA)
To achieve layered protection, deploy passwordless multifactor authentication. By itself, MFA requires multiple means of authentication by employing the two factors above as well as knowledge (PIN, username and password, security question) and location (actual physical location determined through GPS tracking) factors.
According to Microsoft, deploying multifactor authentication can block 99.9% of automated attacks.
In passwordless mode, MFA drops the knowledge/secret-based factors, especially passwords.
Passwordless single sign-on (SSO)
Single sign-on is an authentication strategy that enables users to execute a master sign-on to authenticate themselves at the start of their work shift, after which the SSO solution logs them in to any of the related software systems they need for their work.
Classic SSO usually involves a single master password; passwordless SSO involves a single authenticator that’s not knowledge-based, which guarantees both safety and convenience.
Passwordless MFA + SSO
Deploying a combination of multifactor authentication and single sign-on is a comprehensive security move that shows how convenience helps facilitate the adoption of multiple security measures.
Ready to go passwordless?
Contact TraitWare to learn more about our enterprise-class plug-and-play passwordless solution.