Passwords are one of the most common techniques used to keep our information safe. However, with growing number of apps, it is not at all easy for a normal person to remember all passwords. Our research estimates that there are about 137 average number of SaaS applications in mid-sized companies. Close to 85 passwords are required by users to remember between their personal and official accounts. Users have tried to circumvent this issue by having the same password on multiple websites or accounts. This is dangerous, as one security hack in one website invariably exposes the individual to the possibility of breaches in other accounts.
By Rohan Vaidya, Managing Director – India at CyberArk
In India, in 2021 alone, there have been several noteworthy breaches. The list of companies includes payment processor, Juspay which had approximately 35 million records compromised; Domino India which had credit card details of close to 10 lakh customers leaked on the dark web; popular discount stock broker, Upstox, which faced unauthorized access into its database and Air India, which announced that the personal details of certain passengers may have been exposed due to a cybersecurity attack on the systems of its data processor responsible for the passenger service system.
If one looks at the scale and pace of attacks, it is clear that attacks have been relentless. For the record, 613+ million passwords have been exposed by data breaches (Source: Have I been Pwned service, DBIR – 2021 Verizon Data Breach Investigations Report). 80% of hacking-related breaches are a result of weak or stolen credentials. This has created increased pressure on the IT help desk, with 20-50% of all IT help desk requests per year being password resets.
Every time you get locked out of an account or can’t access a work resource, you lose valuable time. You must call your IT help desk team, who likely has to reset the password or help you get the access you need to do your job. Our team made some simple calculations to come up with a dollar amount for the lost time spent resolving password issues: an enterprise of 1,000 employees spends about $495,000 annually. Instead of focusing on important business tasks, employee productivity plummets while IT help desk managers pull longer shifts to address access issues and deal with (understandably) frustrated end-users.
To address this issue, many organizations use dedicated password managers. This can be a helpful way to protect your personal passwords by eliminating the need to memorize credentials or store them in a browser. However, this is inadequate in corporate environments, where many different users need many different levels of system access. Password managers can’t manage who gets access to what sensitive resources and for how long. Meanwhile, IT teams have limited visibility into access-related events, creating security gaps and risk exposure.
It is time to think beyond passwords now. Fortunately, today, technology is available to try out new passwordless methods to protect both personal accounts and sensitive data of companies. Adaptive Single Sign-On (SSO) tools are helping employers overcome security challenges associated with traditional passwords and automate manual access granting processes that can bog down IT help desk teams. With this approach, they can analyze user and device context to determine whether the access request is “normal.” The system should know, for instance, if the user is attempting to access a database not usually accessed as part of their day-to-day activities or if a device is in a different city than usual. If the context is abnormal, the system adapts controls such as requesting re-authentication or adjusting the level of access. Analytics can help minimize friction by putting up gates only when necessary, based on a risk score. This can be further strengthened by multi-factor authentication techniques.
Users are also preferring passwordless login techniques. According to Ponemon Institute research, a majority of IT security practitioners and business users (55%) would prefer a method of account protection that doesn’t involve passwords. Data from Microsoft shows that 150 million people are already using passwordless logins each month. Similarly, the 2021 Experian Global Identity & Fraud Report found that consumers have an increasing level of comfort and preference for physical biometric authentication methods (e.g., facial recognition and fingerprints) as well as behavior-based authentication methods (e.g., passively observed signals that require no effort from the user).
In summary, passwordless adoption can lead to several long-lasting benefits. For example, industry research shows that 87% of costs to support passwords dropped by using passwordless authentication techniques. It can also lead to reduced security risks by eliminating credential attacks while reducing the burden on IT and reducing complexity.
About the Author
As the Regional Director of Sales – India at CyberArk, Rohan Vaidya is responsible for managing sales operations and profitability of the business in the sub-continent. He joined CyberArk in May 2016 with more than 18 years of experience in successfully building brands and businesses in India and the wider Asian region. Prior to joining CyberArk, Rohan was the Head of Region for the Indian sub-continent at K2 Partnering Solutions, a European consulting firm specializing in ERP and Cloud. He has also co-authored a book, That’s Naut My Business.