The State of Authentication: Concerning the Password
Last week, ThumbSignIn and Gluu Federation released a report on moving “Beyond the Password.” Full disclosure: OWI is featured in the report, providing analysis on the key findings. This week, we’ll be expanding on the report to provide insight into the state of authentication, recent innovation and investment, and our take on how the market will evolve moving forward.
Follow the Data
We discovered some deeply concerning information in the Customer Authentication report: nearly half of apps (47%) and websites (40%) still rely solely on passwords for authentication. However, 62% of companies are planning to implement stronger authentication measures in the short term, including biometrics or two-factor authentication (2FA). Companies are recognizing that passwords aren’t enough, whether they’re driven by industry standards or security preparedness.
Let’s start with password storage. Facebook, Google, Slack, and Robinhood are amongst companies that were discovered to have stored plain text passwords. Essentially, anyone with access to the backend system can view passwords, no decrypting or hacking required. Poor security hygiene paves the way for tactics like credential dumping and credential stuffing, which account for 90% of e-commerce cybercrime and are especially dangerous considering that 73% of online accounts use duplicated passwords.
The downsides don’t stop here. Email password resets appear deceptively simple and straightforward to the customer, but account recovery actually costs businesses a pretty penny. 30-50% of all help desk calls are for password resets and the average labor cost for a single password reset is about $70. Whether automated or handled on a one-off basis, passwords require resource-intensive infrastructure.
Also remember: bad actors love to take advantage of opportune, low-friction vectors, not Fort Knox-esque citadels of security. Employees are one of the largest liabilities when it comes to cybersecurity, with 90% of data breaches caused by employee error. Reliance on passwords for authentication, in conjunction with poor cybersecurity training, is akin to locking your front door and leaving the key in a glass box on the porch – that box really isn’t going to be much of a deterrent to someone looking to break into your house.
On the bright side, the majority of companies are in the process of implementing or researching new authentication solutions, including biometrics and mobile app authentication. The data indicates that the market has reached a tipping point: companies know that passwords alone are not enough and an inefficient use of resources, but improved authentication won’t evolve overnight.
Follow the Money
Some companies are more ahead of the authentication curve than others. While identity issues are generally new to a mainstream audience, the industry has seen these issues coming down the barrel for years. Accordingly, there is a ton of investment in the “beyond-the-password” space, especially in companies who have accurately predicted prevalent industry issues and created solutions before the tipping point is, well, tipping. Here are a few unicorns (companies valued at over $1 billion dollars) and a reminder of just how much investment they’ve generated:
Auth0 – In May 2019, Auth0 (pronounced Auth Zero) announced $103 million in funding, led by Sapphire Venture, pushing its valuation to more than $1 billion. Auth0 offers authentication-as-a-service helping companies secure their perimeter.
Duo – One of the most well-known authentication providers, Duo offers a suite of authentication products including MFA and single sign-on services. The company was acquired by Cisco in 2018 for $2.35 billion.
Okta – Okta is an identity and access management system that enables companies to authorize both employees and customers through a single platform. When Okta went public in 2017, they were valued at over $6 billion.
The Digital Identity Opportunity
In 2004, Bill Gates famously predicted the death of the password.
Clearly, that hasn’t happened.
But that doesn’t mean it won’t happen eventually. The industry standard is in transition, with passwords acting as the in-between solution. Most people realize passwords are simply not enough, regardless of whether their concerns are based around security.
We’re seeing a slow but accelerating migration towards the watering hole of authentication options. Some companies are already there, taking advantage of being first on the scene to establish a dominant position as more and more companies arrive and vie for a spot.
The authentication evolution means that time to invest is now. The status quo is changing and companies clinging to passwords will remain prime targets for cyberattacks. Keeping up with changes can seem burdensome, but it’s one of the most controllable things a company can do as cyberattack tactics continue to become more sophisticated.