With World Password Day on 2nd May encouraging us to vary and strengthen our passwords, at Ubisecure we’re asking, ‘why do passwords even still exist?’. The fact is that there are so many options for secure and convenient access to an application, that organisations still forcing passwords on their users have no excuse.
We wrote a blog to explain why insisting on user passwords is costing your business money:
“The world is full of ideas and inventions that seemed like a good idea at the time. Only later we discover that they were actually very bad ones. Tobacco was a very popular trend back in the day – until we discovered that it causes lung cancer and plenty of other problems. 100 or so years ago it wasn’t uncommon to placate your child with a drug that included heroin. In the early era of computers someone had to come up with a way to keep things secret on a shared computer. Therefore, the password was born – something only you (are supposed to) know. Now is the time when the password must go the way of the dodo – extinct!”
So what are the alternatives to passwords?
Passwords are not your only choice when creating a log in experience for your users! And for services that store sensitive user data (arguably all services in the GDPR-world), multiple steps to authenticate your users’ identities will help your services to be secure and compliant.
Multi-Factor Authentication (MFA, 2FA)
Multi-factor authentication (MFA, aka 2FA) is a method of verifying a customer’s identity by requiring them to present more than one piece of identifying information or form factor. These could be combinations of, for example…
- Social media identities (Facebook, LinkedIn etc.)
- National IDs
- Bank IDs
- Mobile IDs
- Business account
- Biometrics (fingerprints, facial recognition etc.)
- PKI (Public Key Infrastructure)
You’ll notice that these options are all identities which already exist, meaning users won’t need to create another identity to access your service. This removes the need to remember a new username and password. In the digital identity industry, this is referred to as ‘Bring Your Own Identity’.
Regulation dictates that banks, telecoms and other KYC (‘Know Your Customer’)-led organisations must perform strong identity verification when onboarding customers. So by integrating these sign on options to your application, you benefit from the existing strong identities verifying your users.
A note on social identities
‘Sign in with [insert social media service here]’ deserves a special mention, as it is one of the most commonly known options. Social sign on provides a great customer experience – which, as we know, is a prerequisite to running a successful business. Most new visitors to your application will already have a social media account, thus winning you points on the convenience front.
Although social identities have the benefit of convenience, they’re not always a sufficient security measure when used as the sole barrier to service access. This is partly because anyone can set up a social media account, without robust verification of their true identity. It’s also because social media giants like Facebook have notoriously suffered data breaches in the last few years, potentially exposing log in data and leaving your application vulnerable to hacks. So make sure that you’re using MFA if social media sign on is one of your identities of choice.
How to remove passwords from your sign in experience
If I’ve convinced you to get rid of passwords for your users, you’re probably wondering how to go about implementing an alternative.
The Ubisecure Identity Platform conveniently, securely and privately connects existing strong (verified) identities from government, banks, telco providers (and more) to applications and services. Owing to the large variety of options available for authentication, our Authentication Adaptor microservice enables the rapid and seamless addition of other identity providers.
For an informal chat about your options for going passwordless, get in touch here.