Eliminating Bad Password Behaviour

By Jerrod Chong, Chief Solutions Officer, Yubico

For decades, passwords have been the primary method of authentication used to protect data and accounts from unauthorised access. However, with every new password breach that we see, it’s become increasingly clear that new security approaches are needed to help individuals manage and protect their accounts both personally and professionally. From poor password hygiene to stolen credentials, passwords aren’t cutting it anymore.

Poor Password Behaviour is Real

Our 2019 State of Password and Authentication Security Behaviours Report, conducted by the Ponemon Institute, showed that two out of three employees (69 percent) admit to sharing passwords with their colleagues in the workplace to access accounts. More than half of respondents (51 percent) reuse an average of five passwords across their business and/or personal accounts.

The larger concern is that in addition to using poor password practices, users also aren’t taking advantage of added account protection beyond a username and password, including two-factor authentication. In fact, sixty-seven percent of respondents do not use any form of two-factor authentication in their personal life and 55 percent of respondents do not use it at work.

As cyberattacks become more prevalent, vulnerabilities created by poor password and authentication practices lead to attacks such as phishing. More than half of respondents experienced a phishing attack in their personal life, and 44 percent experienced a phishing attack at work. Still, 57 percent of these individuals did not change their password behaviours.

It is increasingly clear that new security approaches are required to help individuals manage and protect their passwords both personally and professionally. Current solutions are proving too time consuming or bothersome to utilize on a daily basis. On average, respondents report having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords. Based on an average organizational headcount of 15,000 as cited in the research, the estimated annual cost of productivity and labour loss per company averages AU$7.2 million annually.

Eliminating Passwords for Better Security

To understand why passwords are so unreliable, it’s important to understand how they work. Account login with a username and password requires that a user’s password is sent across the internet to the service for validation. If the password does not match the password stored on the server, account access is denied. It’s important to differentiate passwords from something like a PIN, which in comparison, is performed locally to ‘unlock’ or authorize a device (similar to how a PIN is used with an ATM card) and is not sent across the internet for validation.

The problem is that no matter how complex or unique a password may be, this process of validation over the internet still allows room for vulnerability. Passwords can be easily phished by tricking the user into entering their credentials into a fake site, or the passwords could be stolen if the service provider gets breached and an attacker accesses the log of stored user credentials.

Today, these attacks are increasingly prevalent. In fact, millions of user credentials from data breaches around the world are now accessible on the web, including 773 million records known as Collection #1, making stolen credentials the cause of most account takeovers.

Let’s face it — managing passwords is inconvenient and cumbersome, which is why 57 percent of respondents expressed a preference for a password-free login experience that would still protect their identity.

Where this once may have been considered ‘impossible’, it is now a reality. Recently, the World Wide Web Consortium (W3C) approved a new standard for secure web authentication: WebAuthn. WebAuthn is the first global standard for web authentication that is removing the reliance for passwords and it is on track to be supported by all platforms and browsers, marking a milestone in the history of internet security. With WebAuthn, there is now a clear path to addressing the problem behind most security breaches and account takeovers due to stolen online credentials.

What is WebAuthn?

WebAuthn represents a major step forward in internet security, paving the way to a world of user-friendly and highly-secure password-free authentication. It has been ten years in the making, starting first with the adoption of the FIDO Universal Second Factor (U2F) standard, followed by FIDO2, and now the finalized Web Authentication (WebAuthn) specification is an official web standard. These standards are a natural evolution built upon each other to bring together new important security capabilities for the modern web.

WebAuthn is the web authentication API portion of FIDO2, which supports three different types of authentication flows: single-factor, second-factor, or multi-factor. Second-factor authentication is the standard form of login that we see in most places on the web today: a username and password plus possession of a device like a security key or phone. Single-factor and multi-factor authentication can be forms of passwordless login, without the need to send credentials over the network. Single factor authentication requires one form of authentication like a hardware security key requiring user presence to prove possession of the device for authentication. Multi-factor authentication requires two forms of authentication like a hardware security key plus a PIN, or a hardware security key plus a biometric.

Ubiquitous Authentication Across the Web

With WebAuthn, users no longer have to rely on the weak security of passwords. Going forward, users can expect services to offer WebAuthn strong authentication methods by providing the option to use both external security keys and built-in platform authenticators to protect online accounts.

Microsoft accounts has already enabled a passwordless login experience for their users and major web browsers and operating systems are following suit including: Microsoft Edge, Mozilla Firefox, Google Chrome, Google Android, and Apple Safari is in beta. This innovation provides application developers, and service providers the option to deliver stronger security for users, while enabling an easy to use login experience that takes us all beyond the historic problems of passwords.

Users who would like the highest form of protection for their online accounts should request support for WebAuthn from their favourite or most-used online services including banks, accounting software, government services and even online shopping sites.  All of this signifies a promising future — one in which the security of your online identity is finally not dependent on passwords that lives in your memory.