Despite the tremendous advances over the last 30 years that have completely transformed the way we live and work, one fundamentally important technology has seen almost no change in that same time: identity. Usernames and passwords are still overwhelmingly the mechanism that’s used, despite ample evidence of their extreme weaknesses.
It's remarkable that more than thirty years into the digital age companies still struggle with something as basic as knowing who you are.
Today, passwords are overwhelmingly the way companies do it — a vestige of history (from the 1960s) that's stubbornly omnipresent despite ample evidence of their shortcomings. Passwords are often the weakest link in any organization’s security. If you enter the right combination of letters or numbers, then it must be you — or at least companies hope so.
It's no better when it comes to verifying the validity or accuracy of the identity data you provide. Companies typically ask you to fill out a form and hope that what you’ve entered is true and accurate. Where companies must be more certain — to comply with Know Your Customer (KYC) requirements, for example — you must send highly sensitive personal information via email or present IDs in person before they give you an account (and a password to protect it), creating a great deal of friction in the process that they hope doesn't deter you from becoming a customer.
As our lives have moved online, password sprawl has become a real problem. Employees at large organizations have an average of 25 passwords to remember – even with a single sign-on (SSO) solution in place – and those at small and medium enterprises have 85.
As a result, people often create simple, easy-to-guess passwords, including "password" and "123456", and reuse the same password across multiple sites, leaving all accounts vulnerable if just one is breached.
To combat this, many companies now require users to create complex passwords and to change them frequently — making them even more difficult to remember. Even so, phishing and other social engineering attacks still frequently expose them.
MFA solutions designed to address these weaknesses are costly and cumbersome, and those that rely on texting have now been compromised through mobile phone hijacking.
The costs associated with these weaknesses are staggering. Help desk costs for password resets routinely exceed a million dollars each year, not including lost employee productivity or missed customer sales. The cost of a data breach can be crippling, as are the costs of compliance mandates tied to protecting identity data.
There has to be a better way. Thankfully, there now is.