Please adjust your playing cards; in the never-ending game of IT buzzword Bingo, “frictionless” has been duly replaced by “passwordless”.
Are we falling victim to recycled marketing talking points, or is there a technology out there that is truly different and better?
Load your coffee mug and stay with me for a cup of joe…
Nearly 50% of 2023’s workforce has a “WFH” component, and that percentage is only going to increase. The shift to a remote work culture, and the massive adoption of cloud services to operate businesses has accelerated the number of threat vectors that must be addressed by businesses’ IT security plans. And what has been the traditional front lines of defense?
Unique, strong, and frequently changed passwords.
The average person has over 100 passwords. I don’t need to spend much time describing what an unfettered joy it is remembering them all, or resetting one every week (because yes, that is a thing). Not to send the average person into a tailspin; the average hacker or BOT can correctly “guess” 99% of any one of your passwords in the blink of A.I. (see what I did there?)
That is one of the reasons why we shifted our password security to a multifactor authentication (MFA) standard. Even the toughest passwords can be guessed or compromised. So, instead of using one password, let’s use a combination of factors that combined, grant access to the information we want to protect. We all know the drill – “Something I am, something I know, and something I have”. Let’s reinforce the “something I know” [password] with the other two factors: “something I am” and “something I have”.
Today we wave our mobile phones like Obi Wan using The Force. Up until almost last month, we called that a frictionless experience. Except for a microscopic portion of our population, our life is literally “in our hands”, as our mobile phones are lead actors in our everyday drama. Whether it is a visit to the doctor, a purchase at the local coffee shop, or a mental break to enjoy a social media escape, the “something I have” requirement is met by using our mobile device.
The last of the cohort factors is “something I am”, and here we are talking about biometrics. Most of us recall the “ooh” factor when our iOS devices used our fingerprints to open an app; and then the “ahh!” when using facial scanning automatically unlocked our phones. We now call this “passwordless”; and nice work to many Marketing teams for the re-branding from frictionless.
So are we any better with passwordless? Are we operating in a more secure environment?
Traditional password-based MFA is susceptible to various security threats, including phishing, credential stuffing, and password leaks. Passwordless MFA sounds sexier, but can be as flawed as traditional password-based MFA, because it overly relies on physical biometrics, and those too can be stolen, copied or replicated. The quiet part of my last sentence is that users’ P.I.I. is being trafficked and stolen daily – and can be used to circumvent proper MFA protocols.
So is passwordless a buzz to cover for similar previous performance deficiencies of MFA technologies?
Behavioral biometrics are a frequently overlooked part of the MFA equation, and yet they are the passwordless OGs.
Behavioral biometric based credentials:
· Can be as easy as writing your name
· Can’t be stolen or shared
· Can’t be replicated by BOTs, hackers or A.I.
· Carry no P.I.I.
· Are impervious to stuffing
· Can’t be guessed like PIN numbers or keystrokes.
So why are they not widely adopted?
Many reasons come to mind, like the fact that Mission Impossible would have been anticlimactic and perceived as silly as the Space Balls password scene, if they producers had chosen a drawn password instead of a retinal and voice scan to gain access to the bomb codes. Behavioral biometrics are not as sexy an slick as physical biometrics, but they are tougher to hack.
Jump on the latest marketing bandwagon if you must; but if you want better than frictionless and passwordless combined, give behavioral biometrics a try. It will make other technology seem like you were using a password like 1,2,3,4,5.
Learn more about behavioral biometrics and the un-password MFA here.