At RSA’s 2004 security conference, Bill Gates predicted, “There is no doubt that over time, people are going to rely less and less on passwords,” adding that passwords “just don’t meet the challenge for anything you really want to secure.”
A pertinent truth that is often forgotten when discussing the importance of authentication is that passwords should have been removed from the equation a long time ago. However, many companies do not see why they should protect their users by moving away from passwords; they do not see customer security as a sales point nor a part of their business practice. Meanwhile, regulators see strong authentication as a business to business practice and not as a ‘must have’ in the consumer market.
As a result of a shift in awareness, regulations, and motivation in 2018 alone, we have more evidence than ever to believe this change will finally be implemented in the coming year, with many companies standing to benefit from its advantages.
Shift in awareness
There was an endless cycle of credential related breaches in 2018, from HSBC to Twitter and most notably Facebook, which resulted in an increase in both business and consumer awareness for weak single factor authentication.
Shift in regulations
With regulatory officials like HIPPA and PCI-DSS supporting multi-factor authentication and its three factor types: something you know, something you have and something you are, this mode of verification is here to stay.
Shift in liability
With the implementation of The General Data Protection Regulation (GDPR) this year, the liability has shifted from the end user to the data handler and data processor, leaving the company legally liable for any breach of customer privacy and information. This change in liability hits organizations where it hurts – profits – giving them an incentive to provide better authentication processes to employees and customers alike.
These shifts have been predicted, however in the last few months we have seen an interesting shift in the least expected place: the US government. Sen. Richard Blumenthal tweeted that “we must set clear customer data protection standards for all companies — whether they’re hotel chains, online retailers, or big tech — and severe penalties for those who fall short.”
The public, regulators, and government are each aware of the dangers of passwords. In 2019 we will start to see companies which already utilize multi-factor authentication, present it as a unique sales value. Companies that don’t already use it will begin to support multi-factor authentication and use their newfound security to attract customers.
User experience and cost are two other components we believe will also soon adapt. An attractive business model is to offer a less expensive option for identity security that is both easier and more secure. According to Gartner’s 2018 Market Guide for User Authentication:
“By 2022, 60% of large and global enterprises, and 90% of midsize enterprises (MSEs), will implement passwordless methods in more than 50% of use cases, which is an increase from fewer than 5% today.”
Passwordless authentication is more secure, requires less maintenance (password resets, employee downtime) and the overall experience is simpler and easier, creating a superior user experience and a higher conversion of sales. Although over a decade too early, Bill Gates got it right in 2004 as we will see the masses move away from passwords in 2019.
Raz Rafaeli, CEO and Co-founder of Secret Double Octopus