|279%||increase in security incidents at enterprises|
|81%||of hacking-related breaches that leveraged either stolen and/or leaked passwords|
|20%||of IT departments time is spent dealing with forgotten passwords|
Some recent research by LeakedSource analyzed the frequency of repeated passwords used on LinkedIn. Topping the list is “123456” with more that 750,000 entries. Second was “LinkedIn” at more that 170,000 entries and of course, coming in at third place with 144,000 entries is the tried and true “password”.Most organizations will combat this by creating requirements for longer, more complex passwords with mixtures of upper and lower-case letters, numbers and special characters. While it seems like a great idea on the surface, it often results in the opposite impact. The reality is that with longer and more complex passwords, people tend simply to reuse them repeatedly. According to a study from the University of Cambridge, 31% of users have the same password for multiple accounts. Throw in advancements in technology for brute force attacks and password crackers; now it’s just creating a recipe for disaster. So how do we combat this?
Multi-Factor Authentication (MFA)
Put simply, MFA or 2FA (two-factor authentication) relies on more than a single item (i.e. a password). It’s often described as “something you know and something you have”. Often this may be using a token with a rotating key, SMS-based authentication with a code sent via text or biometrics such as a fingerprint in addition to a password. According to Microsoft, more than 99.99% of breaches can be avoided simply by implementing MFA. It’s still not “great” though.
While exponentially better than passwords alone, MFA can be inconvenient if implemented poorly. An example would be logging into a site with username and password, then needing to pick up the cell phone to get the code sent via text EVERY time. That can become quite cumbersome to many users. It is also still susceptible to man-in-the-middle and phishing attacks. While a topic for another time, robocalls are on the rise and most often, the number that appears on the screen is from the same area code as your phone. Those numbers are generally spoofed and SMS intercepts are more common than you might think. Just do a search for “Twitter CEO hack” and you’ll get the idea. So how do you balance security and convenience? Easy, stop using passwords altogether.
Microsoft has three primary methods to get rid of passwords
Windows Hello is Microsoft’s premier password experience. With Windows Hello, you can use a combination of sign-in options depending on what your device will support:
- Facial recognition via webcam
- Picture Password – swiping and/or tapping a photo in certain patterns
- Windows Hello PIN – different from a password, this PIN is tied specifically (and only) to the device
Microsoft Authenticator uses the mobile application on a mobile device to provide either a code or verification of a number to put in place of ever needing to enter your password:
FIDO2 Security Keys are password-less security devices based on the FIDO2 standard. Options for this can include a USB/NFC Key, USB Biometric (i.e. fingerprint) Key, and now even Biometric Wearables such as a smart watch or ring.
More blogs will be coming with a deeper dive into all of the options and Enabling has expertise to help you in your journey. With all of the capabilities there’s only one question left to ask: “Why are you still using passwords?”