Most organizations and individuals rely on passwords to authenticate access to computer systems and electronic information. Passwords are a risky proposition, however, because 1) people have trouble remembering multiple passwords and often reuse the same passwords across services; and 2) threat actors can guess weak passwords. According to one source, about 80% of successful attacks (resulting in account takeovers, data breaches, and stolen identities) occur through either weak passwords or easily guessed or stolen passwords.
Support for “Passwordless Sign-Ins”
Mindful of the ongoing risks associated with passwords, on May 5th Apple, Google, and Microsoft announced plans to support a “passwordless” sign-in standard. This standard, created by the FIDO Alliance and the World Wide Web Consortium, will allow users to sign in via the same action they use to unlock their smartphones, such as fingerprint or face verification, or a device PIN. Some companies, (including Apple, Google, and Microsoft) already offer some forms of passwordless sign-in, and according to the announcement those sign-ins will soon become more seamless and secure.
In the Meantime...
Most of us will likely continue to use passwords for some period of time, as passwordless sign-in or other alternatives are adopted and refined. Consider one or more of the following to limit risk as you employ passwords:
- Use strong, unique passwords or passphrases for all accounts. Strong passwords (ones that contain more and different characters) are harder to guess. Consider using a password manager as one way to reduce the fatigue of remembering so many login credentials;
- Implement multifactor authentication (MFA), especially for remote access. Enabling MFA requires a combination of two or more authenticators to verify your identity. Using MFA is crucial when a password has been compromised, for example following a successful business email compromise (BEC) scheme;
- Be Skeptical, and Train Your Organization to be Skeptical. Never click links or open attachments in emails or texts that appear to come from your employer, bank or any other institution. Always log in to your accounts directly.
