The inevitable prompt comes when users least expect it: "Your password has expired and must be changed." Systems demand login credential updates, forcing users to come up with new passwords on the fly, often just a character or two off from the original.
Modern password etiquette dates back to a 2003 National Institute of Standards and Technology recommendation to introduce a mix of letters — capital and otherwise — numbers and a special character, in addition to routine changes.
The guidance is at the root of many users' frustrations, where employees are quick to bemoan company and vendor policies to change passwords every 90 days. Users have turned to password management tools to ease the burden of creating unique identities for multiple accounts.
But for every tool adopter there are a handful of users still reliant on writing down passwords or repeating credentials across accounts.
Even the creator of the password recommendations in part regrets his guidance.
Though NIST has since introduced a new framework — which recommends password phrases and changes only if there are signs of malicious activity — the security industry is working to move beyond passwords altogether.
A passwordless future would place the onus of securing identities on biometrics and behavioral insights, rather than words, numbers, characters and phrases.
Self-service turns to personal identifiers
Traditional password management models have relied on user self-service. If an individual is locked out of an account, knowledge-based questions can validate identity and reset account credentials.
But users have scores of accounts in personal and work-related environments, creating a kaleidoscope of account credentials that are difficult to navigate and challenging to remember.
To add to the complexity, a simple search on "Have I been pwned?" will reveal whether an individual's credentials were involved in a breach. If compromised, it creates yet another case where users have to reset passwords and create new and unique passwords.
"Our passwords are out there, in the black market, on the Dark Web," said Ayan Roy, principal at EY Advisory and lead of the firm's identity and access management services. "No matter how frequently we reset passwords or how complex we make passwords, what's happening now is most of the bad guys do have access to our passwords."
A passwordless model relies on different factors — such as touch and face ID — or continuous authentication to simplify how users interact with systems.
In the next five years, there should be no passwords, said James Stickland, CEO of Veridium. A blend of implicit and explicit forms of authentication will prove far more effective in securing people's identities.
Apple's introduction of the Touch ID has primed people to readily use biometrics to access core applications.
Biometrics for the longest time faced adoption challenges, according to Roy. "But now with smart phones, smart devices, it is a lot easier for us to get our users to use biometrics."
Biometrics introduce an extra level of security that is more difficult to compromise and allows vendors to do a lot more behind the scenes with behavioral analysis.
For example, a user may log in to a system every morning around the same time and navigate to six different applications. But if that same individual accesses 10 systems in a morning, identity and access management systems could flag the behavior and challenge a user by sending a one-time pin to their device for validation. The same extra validation could be prompted if a user logs in from a new geographic location.
The multiple form factors allow for more step-up authentication, which can be anomaly dependent or based off the sensitivity of a transaction.
Examples of using biometrics are readily available in consumer world, but companies are not as quick to implement the technology. Part of the challenge becomes integrating with existing ecosystems.
Corporations already have identity access management systems and manage employee identities through user IDs and passwords, according to Stickland. If a vendor can introduce biometrics as a platform overlay without additional hardware, there will be less adoption abrasion.
"If users are fundamentally the same humans that they have been for a long period of time, their intellectual mindspace hasn't gotten any bigger to remember passwords," Stickland said. "You're making the complex nature of storage and policy more complicated. How can you blend those two worlds? Simplify, but secure further."
The potential of portable identities
Part of the difficulty with identity management lies in how nearly every system requires creating an account. In response, some organizations are introducing the idea of a validated identity.
The effort is similar to the social logins encountered in the consumer realm. Users can employ Facebook, Google, Amazon or Twitter accounts to log into services across the internet.
In the same way, validated identities could work across organizations in a specific sector.
As part of an effort to introduce cybersecurity efforts to life sciences organizations, a biopharma and healthcare industry consortium is working to create portable identities that could be used across the sector.
The National Health Information Sharing and Analysis Center (NH-ISAC) is taking requirements from members like Aetna and Merck to build an identity solution that meets all needs, which would help drive adoption, according to Roy.
The idea is to create a one-time verified identity that an individual could take to their healthcare provider, the pharmacy or a health insurance provider, for example. Any account activity a verified user could then approve or deny, with solutions relying on baked-in security controls.
The passwordless method would create an industry "ecosystem of different companies who are willing to adopt this technology because if we don't build an ecosystem, I don't think is going to be successful," Roy said. "Adoption will continue to be a challenge."