- Passwords are cumbersome, ineffective, and involved in 80% of hacking-related data breaches — but they are deeply entrenched in our personal and work cultures.
- New research shows companies are working to get rid of passwords entirely, and new AI technologies can now authenticate identities by voice patterns or how you text.
- Next week, 45,000 cybersecurity professionals will convene in San Francisco to show off the latest tech vying to replace passwords — but can the security industry find consensus on universal solutions?
- Visit Business Insider's homepage for more stories.
Everyone seems to hate passwords. They're hard to remember, a hassle to reset — and they don't work. About 80% of hacking-related breaches each year involve stolen or weak passwords, according to Verizon's Data Breach Investigations Report.
New research, tech, and alliances suggest we may finally be making progress in getting rid of them. In a new survey of 2,500 IT professionals, who often oversee companies' new security approaches, two-thirds of the respondents said their companies would adopt passwordless authentication for employees and customers.
And last week, Apple joined the FIDO Alliance, an association that advocates new authentication standards to help reduce reliance on passwords. Microsoft, Google, Intel, and other big companies are already FIDO members, and Apple was seen by some as a holdout. Microsoft has also said it's working to kill off passwords, at least for internal use.
Passwords will also come under scrutiny as 45,000 cybersecurity workers convene in San Francisco next week for the RSA Conference, where "The Human Element" is the theme and dozens of talks and sessions will discuss identity-authentication methods besides remembered passwords.
"Passwords are for tree houses," said the legendary social-engineering hacker Frank Abagnale, who is the subject of the movie "Catch Me If You Can" and will speak at the conference on the link between passwords and terrorism. Abagnale is an evangelist for Trusona, a startup that produces software for large enterprises, including Aetna and Nippon Telegraph and Telephone, to build passwordless authentication for their users.
Another company bringing new password-killing methods to RSA is Nuance, which makes enterprise software that uses conversational artificial intelligence to prevent financial fraud. The company's biometrics can identify and verify customers on the phone based on patterns of speech, vocabulary, and even how someone taps on a phone when they text.
Despite all the research and tech that has been employed to dump passwords, we still have a long way to go. Forty-two percent of the same IT pros who said their companies would dump passwords said some users in their companies still use sticky notes to keep track of the codes, according to a Ponemon Institute survey sponsored by Yubico, a Silicon Valley provider of hardware authentication security keys.
Why has it been so hard to get from sticky notes to passwordless authentication? Passwords are entrenched in society, and while alternatives are popping up everywhere, consensus is slow to gel.
"Passwords have long been the de facto standard for protecting sensitive data," Steve Povolny, the head of advanced-threat research for the cybersecurity firm McAfee, said. "These days, there are many options that could take the place of the password and, in several instances, already have."
But the variety options combined with technical limitations make a unified solution difficult.
A December report from the analyst firm Gartner said the many options for doing away with passwords may be a key part of the challenge.
"There are many ways to eliminate passwords, improving the user/customer experience and/or enhancing security; however, technological constraints make a universal approach elusive. Security and risk management leaders … need a cohesive strategy across key use cases," the report said.
