The best thing you can say about using a password for authentication is that it’s better than nothing. High-profile breaches like Equifax, however, have exposed millions of passwords and user IDs, calling into question even that faint praise. If consumers don’t assume that at least some of their passwords have been compromised, they only create a dangerous false sense of security.
Companies that still rely on password authentication for access to important customer and corporate data are doing the same. Password-only protection is permanently broken, and any organization relying on it is placing its business and reputation at risk. Even if they avoid a breach, awareness of the shortcomings of password protection is much higher now thanks to Equifax. If that’s how you protect customers’ data, they will think twice about trusting you with it.
Alternatives like two-factor authentication (2FA), multifactor authentication (MFA), behavioral analytics, and biometrics have been available for some time, but adoption rates are low. The growing threat landscape and consumer awareness is lowering barriers to implementing these options — those barriers being, primarily, user resistance, complexity and ROI.
All these alternatives can be compromised, some more easily than others. “All authentication whether it’s a fingerprint, a face, an iris scan—all these things are broken down into bits and bytes, and they are effectively a shared secret,” says Dustin Heywood, senior managing consultant for IBM’s X-Force Red security testing team. Because these shared secrets are stored digitally like a password, it is theoretically possible to steal them. The difference is that it’s harder to do so.