Passwords have been our main key to gain access to products and services for years. But as other options come onto the market, it is worth exploring what they can offer and why you might want to switch.
By Tim Spring
Passwords have been around for a long time, so long that many of us have just accepted them as part of everyday life. This wouldn’t necessarily be a bad thing — if not for a history of password misuse leading to disaster for both end users and organizations alike. While people are aware of the issue, with less than half of Americans having confidence that their passwords are secure, familiarity has led to indifference: breaches just happen, they’ll be headline news for a few days, and then they’ll disappear. The solution is not to keep reminding people to follow good password practices and maintain cybersecurity vigilance; it doesn’t work. The solution is to get rid of passwords and go passwordless.
65% of IT leaders reported that their organizations were likely if not certain to adopt passwordless security in the near future. There are a multitude of reasons to do so, not the least of which being reducing security costs, the need for support, and the time employees spend logging in to each different system everyday. It is estimated that the average employee has over 190 different logins and can spend 28 minutes per day just getting into their accounts. So, once you’ve decided to switch your organization to passwordless login how do you go about implementing it?
There are a variety of options for creating passwordless login for your organization, including badges, fobs, USB devices, and tokens. A common and inexpensive option offering a pseudo-passwordless experience is password managers. While “passwords” or digital keys are still created for services like these, they are often hidden from the end user, and instead tied to the badge, fob, or other object the user possesses or their password manager account. This is, typically, more secure, as the object or password manager tends to create very complex passwords, which being unknown to the user protects them from phishing.
While these options work very well for some organizations, there are some limiting factors. For example, anything physical like badges or fobs can be misplaced or stolen, and password managers still rely on an account with a master password.
At Indicio, we believe the better option is verifiable credentials. These credentials can be thought of as similar to the physical-object approach in that they are stored with the end user in an app on a mobile device; but unlike badges or fobs, these app-based credentials can be biometrically bound to the user through the app and the phone.
The credential completely removes the need for any kind of password, instead relying on secure connections created through verifying credentials. When credentials are presented for verification, they provide mutual cryptographic authentication: The user proves they are the credential holder when contacting their employer, and their employer, in their response, proves that they are in fact the user’s employer. See A Beginner’s Guide to Decentralized Identity for a deeper explanation of how this works.
The net result is a powerful way to enable passwordless login, one that has multiple defenses against fraud, while also providing the capacity for much richer interaction. And verifiable credentials can be for more than just employees and employers, any organization could implement them for customers, citizens, or anyone that wants to interact with their systems. No more passwords, no more multi- factor authentication, no more captchas (which AI can now defeat), no more recovery questions, or helpline calls; instead, you have quick, frictionless authentication, which in a business context can be easily configured to orchestrate identity and access management to hundreds of cloud-based applications, and save a lot of time and money. To see how this works in practice, watch our demonstration of Proven Finance to see how a verifiable credential can change the way you access your bank account or financial institution.
With over 24 billion passwords exposed by hackers in 2022, your organization can’t afford to put implementing a better solution on the back burner. If you would be interested in learning more about Indicio’s approach with verifiable credentials, our team has years of experience creating custom solutions to fit your needs and would be happy to help. You can ask any questions you have here, or schedule some time to talk to our team here.
