The Risks of Sticking With Password-Protected Authentication

Passwords are costing us, from data breaches to thousands of euros in password resets. There’s a better way to safeguard data and our bottom lines!

Feb 17, 2022 - 5 min.
Picture of: Branka Miljanovic
Branka Miljanovic

During a business trip overseas a few years ago, I was looking forward to relaxing after an extended day of meetings. I checked into my hotel, intending to quickly look through my private emails and then relax on the beach. Yes, I happened to be doing business on a tropical island as luck would have it. 

I opened my Gmail account and almost immediately received a warning email that Google had detected something abnormal. My account was being accessed from a device in Florida. If I wasn’t in Florida, I should log that device out of its session. Well, I wasn’t in Florida. I was on a tropical island. So I clicked okay. And I was immediately logged out of my own device. 

I was probably geolocated in Florida because that was where my browser traffic was being routed. But that’s another topic for another article. Right now, I was locked out of my computer. And as a marketing employee in a security company, I had of course installed all the security protocols. Indeed, my account was so protected that I couldn’t even get back into it myself. And my super secure password… I had no idea what it was. 

Since the dawn of two-factor and multi-factor authentication and the use of biometric protocols, significant and important changes have been made to streamline password retrieval processes. However, not all companies implement these solutions. In my situation, the ramifications were not so severe. I lost one very stressful hour of my life trying to gain access to my own data. But there can be much more serious financial repercussions for companies that rely on traditional username and password systems for authentication. Let’s look at the risks of not transitioning to a passwordless solution. 

The potential financial fallout from password solutions

When signing up for a new service, we’re usually prompted to enter our email address and a password. This password should be super secure. With capital and lowercase letters, numbers and symbols. You take data security seriously so you make sure to choose a very difficult password. So difficult in fact, that you will probably never remember it when you have to log into this service. Which is why you’re probably guilty of one of the most egregious password no-nos: reusing the same password across different services. Don’t worry, most of us are equally culpable.

However, herein lies a serious and expensive problem for the companies providing these services and attempting to keep our data safe. According to research conducted by the World Economic Forum, four out of five global data breaches are the result of lost or stolen passwords. And if your one password has been compromised, all of the services that you log into with that password are now exposed. With cybercrime costing a whopping EUR 2.6 million per minute across the globe, there is no real margin for error. Our password system is broken.

But the financial fallout from password (mis)use is not limited to the costs associated with mitigating the effects of data breaches. According to a study that we conducted in-house, the average cost per call for inbound call centres is EUR 36. And 30 per cent of the calls received are related to password resets. For businesses outsourcing their customer service departments, this can add up fast. For an average of of 1,000 calls per day, companies could spend upwards of EUR 12,000 just on resetting passwords. Per day! Over EUR 3,6 million a year could be saved simply by eliminating passwords. 

Striking the right balance 

By now, you’ve hopefully been convinced by the numbers. Using passwords for security simply does not make sense – financially or in terms of top-class security. The level of complexity needed to ensure that a password is safe means that they are either: a) easily forgotten by users, who then need (incredibly expensive!) assistance to gain access to their accounts again, or b) used across multiple accounts and services, thereby diminishing their overall safety and increasing the likelihood of numerous companies being exposed to data breaches and cyberattacks. 

So where do we go from here? 

Remember my tropical paradise nightmare? I was very impressed to realise the lengths Google was willing to go to in order to ensure the security of my data. However, I was none too thrilled about the nail-biting 60 minutes I had to invest in frantically searching Google and the Internet to figure out how to get back into my account. To this day, I have no idea how I regained access. But after one hour, a series of clicks, password resets, and single-use TANs, I was finally able to read my emails. They were not very exciting. 

That was my payback for being responsible for password security. After I told all this to the developers and engineers, I was of course laughed at. As someone who takes security seriously, this episode will not deter me from always taking the most secure route in the future. However, less security-minded users might feel differently. That is why it is essential for companies to strike the right balance between ease of use and protection. 

What does that mean?

Certain data – like PII (personally identifiable information), healthcare information, and financial statements – should be protected using the highest security protocols. Unauthorised access to this kind of information by malicious third parties could have severe consequences, ranging from identity theft to financial loss to reputational damage (for the company). However, most people aren’t willing to jump through various security hoops to access a social media account (although they probably should be!). That means that companies have to weigh the risks of frustrating customers who might then take security shortcuts against the risk of unauthorised data access in order to determine the best strategy when it comes to data security.

So what is the solution?

In an ideal world, we’d get rid of passwords altogether. The good thing is, we are actually living in an ideal world. At least when it comes to data security. 

Thanks to the huge leaps in mobile and computing technology, the solution for passwordless authentication is now at our fingertips. Literally. Most new (and even many older!) mobiles and computing devices are equipped with the technology to facilitate a biometric solution. 

You’re probably already familiar with biometrics. If you’ve set up a new mobile device in the past six or seven years, one part of the process is usually to store your fingerprint or nowadays, a scan of your face. This biometric data never leaves your device, is itself protected with some of the most advanced security protocols, and can provide a unique authenticator to verify that you are who you purport to be. Integrating these biometric features into the security process is one of the safest ways to protect user data from unauthorised access and one of the easiest for users. And there’s no need to take any shortcuts to make it simpler. Just tap or look at your authenticating device (maybe a mobile phone or a token) and you’re authenticated. (Note: This is actually a lot more complex behind the scenes, so feel free to read Nevis' article on FIDO protocols if you’re curious to learn all the mechanics behind this process.)

Depending on the level of security required, as measured by the sensitivity of the data being accessed, companies can also decide whether or not to integrate two-factor and multi-factor authentication. This means that additional factors will have to be validated to verify a user’s identity. They might range from single-use PINs to tokens to the source of my frustration during my island getaway: geolocation. Yes, I of course, have 2FA and MFA across all my accounts and services. In this case, it was a source of major frustration that could have been avoided with a biometric solution. Thankfully, however, we can remain blissfully ignorant of how often these protocols have saved us from far more stressful and severe situations. 

At the end of the day…

Users and companies have to work together to ensure data security. However, companies can meet users halfway by relying on security solutions that integrate the state-of-the-art technology that most users have, are familiar with and trust. Everyone stands to win!