Okta pinpoints passport to passwordless programming

Developers care about system, software and device passwords — a secure approach to password integrity and protection is part and parcel of what they do… and is a key part of the programmer psyche.

At the same time, developers bemoan and lament users’ inability to lock down machines and application access properly — nobody needs reminding just how many of us have used 12345678 as a means of access and entry to our favourite technologies.

So where should programmers stand on password use and what kind of stipulations, provisions and protections should they be building into the applications, databases and wider systems that we use every day?

Enterprise identity management company Okta says that developers can find key pointers in its first ever Passwordless Future Report, which is issued this month.

The survey has suggested the degree to which the use of passwords negatively impacts both a) the security of organisations and b) the mental health of employees.

The research contacted 4,000+ workers across the UK, France and the Netherlands. It found that there is a readiness for passwordless security methods such as biometrics, with 70% workers believing biometrics would benefit the workplace.

Build for biometrics

So are programmers thinking about new programming methods which bring these newer technologies to the for in the apps they are building for tomorrow?

Sami Laine, director of technology strategy at Okta says that developers should be concerned about the pressure and frustration passwords can cause users shown by this research.

“It’s more important than ever to provide a consistent and streamlined experience to end users, especially if you have multiple apps and sites that the customers may interact with. It is no longer acceptable to have multiple identity silos resulting in users having multiple passwords – a unified log in experience is paramount,” said Laine.

He explains that developers should always first consider using a flexible customer identity platform that can handle all aspects, from registration and progressive profiling to authentication and authorisation.

“Developers of consumer-facing apps now have more choice, including new social authentication options such as Sign In with Apple that offers users more privacy controls,” added Okta’s Laine.

Okta’s Passwordless Future Report suggests:

    • 78% of all respondents admit to using insecure methods to help them remember passwords
    • 69% of UK workers feel stressed or annoyed as a result of forgetting a password, a worrisome statistic considering the importance of mental health in the workplace
    • Three in five workers say they would benefit from biometrics in the workplace, but 86% have some reservations about sharing biometrics with employers

The majority of hacking-based breaches are a result of reused, stolen or weak passwords. Okta’s research found that in total, 78% of respondents use an insecure method to help them remember their password and this rises to 86% among 18-34 year olds.

Some of these memory aids include:

  •      34% use the same passwords for multiple accounts
  •      26% write them down on paper
  •      17% type them on their phone or computer
  •      6% use well-known passwords

“Passwords are often quite revealing. They are created on the spot, so users might choose something that is readily to mind or something with emotional significance. Passwords tap into things that are just below the surface of consciousness. Criminals take advantage of this and with a little research they can easily guess a password,” said Dr. Maria Bada, research associate, Cambridge University.

Okta CEO: passwords ‘failed us’

There are potential lessons here for programmer/developers i.e. Okta CEO Todd McKinnon has spoken openly to say that his firm believes that passwords have ‘failed us’ as an authentication factor and enterprises need to move beyond our reliance on this ineffective method.

McKinnon claims that in 2019, we will see the first wave of organisations going completely passwordless. It may be time to start programming with new layers of authentication and identity control.