There’s No Place for Passwords in the Future of Work

Everyone has probably had this experience at some point: you set up an account for a work application—and the next time you need to use it, you’ve forgotten the complex password the application required. For today’s workforce, the erosion of trust in technology starts with the unreliability of a system designed to protect our identities: passwords.

Too often, people turn to predictable or duplicate passwords, but that can put their entire organisation at risk. The simplest alternative—which also happens to be the most efficient—is no passwords at all. Or at least, as few as possible.

That’s what we explore in The Passwordless Future Report, our latest research out of the UK. To see how passwords are impacting our security, and the quality of our daily lives, Okta surveyed 4,000+ workers across the UK, France, and the Netherlands. We then partnered with Dr. Maria Bada, Research Associate at the Cybercrime Centre of the University of Cambridge, to analyse the data.

Our report found that insecure password shortcuts are costing companies. We also saw that mental health is being impacted by the pressure to remember too many passwords, and that employees across the board are ready to embrace biometrics—as long as the right trust frameworks are in place.

Bad passwords put a target on your back

So how prevalent is the problem of weak credentials? You might be surprised. 78% of our survey respondents admitted to relying on insecure methods to help remember passwords—and for workers between the ages of 18 and 34, that number climbs to 86%.

These methods include:

  • Using the same password for multiple accounts (34%)
  • Writing them down on paper (26%)
  • Typing them on their phone or computer (17%)

Moreover, the UK’s National Cyber Security Centre found that millions of people who had their emails hacked were using either their favourite soccer team or their favourite band as their password. At the same time, a staggering 23.3 million compromised accounts had used “123456” as their password, or else had sheepishly used the word “password”.

According to Dr. Bada, “Passwords tap into things that are just below the surface of consciousness. Criminals take advantage of this, and with a little research they can easily guess a password.” Word to the wise: reverse psychology doesn’t work on cyber criminals.

It’s tempting to think the odds are slim that your faulty credentials could actually compromise your organisation’s security—but threat actors are at large, and Verizon’s 2018 Data Breach Investigations Report shows that 81% of hacking-related breaches were the result of weak, stolen, or reused passwords. On average, each stolen credential costs an organisation $148, which is bad enough. But a large scale data breach averages $3.86 million, and that can cost employees in the long-run as well.

Remembering too many passwords poses a mental health risk

In today’s knowledge economy, employees have enough on their minds, and keeping track of numerous passwords has become the proverbial straw that breaks the camel’s back. People have to manage an average of ten passwords each day, and they tend to forget three every month.

For 63% of our respondents, this trend elicits strong negative emotions that take a toll. 47% of workers feel annoyed or hassled by their password troubles, while 18% feel seriously stressed or worried.

“Okta’s research clearly showed that employees can experience negative emotions and stress due to forgetting a password and that can impact not only their career but also their emotional health. And this is not due to forgetting a password but due to using an insecure method to remember passwords,” says Dr. Bada.

With the potential of instigating mental breakdowns or burnout in employees, these trends also open the possibility of cyber security breaches: as workers are overwhelmed by keeping track of their credentials, they overlook proper protocols. Our research shows that on average, work passwords are changed just three times a year, while other crucial logins such as bank accounts, phone PINs, personal email, and social media accounts are only changed once annually.

So if passwords are out...what’s next?

As organisations look to further secure workforce and customer identities, there are a number of passwordless solutions that are hitting the scene, with biometrics leading the way.

In our report, a staggering 70% of respondents are either considering or currently using biometric data in their personal life. This is highest in France (78%) and with 18 to 34-year-olds across all regions (81%). Almost one-third of respondents feel that biometric technology could make their day-to-day life easier or reduce their stress and anxiety levels in the workplace.

With all that said, 86% of respondents still have some reservations about sharing biometrics with their employers. This shows us that workers are ready for the ease of use that comes with biometrics, but do not trust organisations to protect their data or to be able to implement the process effectively.

“Biometric technology can be promising in creating a passwordless future,” according to Dr. Bada, but “it's essential to create an environment of trust, while ensuring privacy and personal data protection.’’ To gain employee buy-in, organisations need to be ready to educate their employees on how biometrics can be secured and made inaccessible to employers and external parties.

 

As Todd McKinnon, our CEO and co-founder has said, “At Okta, we believe deeply in the potential for technology, and that for organisations of all sizes and industries attempting to become technology companies, trust is the new frontier. Today, businesses need to adopt technology that enables them to innovate quickly, while prioritising the security, privacy, and consent controls that help them to be trusted.”