The average person juggles 100 different passwords, according to security firm NordPass. Consider that for a moment: The login information your employees or your customers use is just one set of many several dozen usernames and passwords they might jot down and forget or misplace at some point.
Password managers can be helpful, but even those require people to remember the answers to security questions.
Given the obvious downsides to traditional passwords, companies including Apple and Microsoft are ditching them in favor of more secure alternatives like fingerprint recognition, authentication apps, and facial recognition. Other companies are trying to simplify matters by relying on social-media logins, known as the OAuth protocol, which allows users to sign-in through Google, Facebook, or another third-party service.
“Billions of passwords have been compromised in data breaches, and criminals test millions of them in minutes, if not seconds, against websites they target to find accessible accounts,” says Al Pascual, senior vice president of data breach solutions at Sontiq, an identity theft prevention firm. “That kind of threat requires businesses to add additional authenticators, adding more cost and negatively impacting their bottom line.”
Biometric tools, as long as they don’t require a password if they fail, are the most secure method, says Pascual. The most common biometrics are facial recognition and fingerprint scanning. A number of automakers, such as Buick, Porsche, and BMW, have already designed cars that use facial recognition to start the vehicle or monitor alertness. Many mobile banking apps now use facial recognition. And more businesses now use timecard systems with fingerprint scanners.
While cybercriminals have stolen and misused biometrics in some rare cases, it’s hard to pull off. Still, biometrics do come with a few downsides. Both consumers and employees may see fingerprint scanning and facial recognition as an invasion of their privacy. Some cities — such as Portland, Oregon, San Francisco, and Oakland, California — have banned the use of facial recognition by police and government agencies in response to backlash from citizens. Facial recognition technology can also be inaccurate, particularly for women and people of color.
Even if your business opts not to replace passwords, security experts advise adding an additional layer of security, which can include authentication apps, security tokens, or verification codes sent to a different device, such as a smartphone.
“Regardless of company size, I will always recommend multi-factor authentication. Passwords alone are not enough to prove identity,” says technical team lead Josh Magady of cybersecurity consulting firm 1898 & Co.
Pascual says he favors authentication apps and QR codes over SMS text messages, as the latter can bring its own share of vulnerabilities, such as malware interception or a compromised cell network. These apps require customers to scan a QR code with their phone’s camera or type in a unique passcode. Some popular authentication apps include Okta, OneLogin, Google Authenticator, and more.
As for social-media authentication, Pascual says do it at your own risk. Your security will be only as good as that of your third party.
“I would generally avoid social-media authentication and any kind of federated scheme, like log-in with Google, if possible. In that case, the merchant is making the activity of its customers known to third parties, which could enable competitors to target the customer with ads,” said Pascual.