Logging In Sucks!


Hey folks, welcome back to all the reasons that passwords suck.

This time we're talking about login. Again, standard login screen. Could be a web app, mobile app, whatever. There's a password. All right. What's wrong with this password? You use their presumably created a remember it, right? Actually no! Forgetting passwords is super common.

Now, you might say OK, for security reasons we're going to limit it to three attempts or otherwise you have to call support, which increases your operational costs from password resets, and your users typically don't like doing that unless it's a last resort. Or you might say, you know what, I'm going to help you out. I'm going to send you a one-time password or I'm going to send you a push notification, right? And that's great. Except both of these are phishable factors and require a second device, which again, all of the friction points leads to user drop-off. And if a user drops off at login, user engagement, and retention rates, typically go down, which hurts business revenue.

On the security side, the password actually isn't offering all that much protection. As we mentioned in our registration video, it's a shared secret which means that the password can be written on a sticky note. Plus the password is stored in your database. Both of these are vulnerable to attacks, right? In addition, here attackers can run credential stuffing attacks. Here is a bot. They can run bot attacks against this password field. Running thousands and thousands of variations to attempt to crack this account. Plus you could run into rainbow table attacks. You could run into notification flooding attacks with these methods. All of that leads to account takeover fraud. Now this cost companies millions of dollars per year.

And the problem is, trust is earned, but is easily lost. So the long time of erosion of brand trust actually goes beyond the immediate remediation costs, and can really eat into your company's long-term revenue and revenue growth. All that to say eliminating, the password means, nothing to attack. Bots cannot attack something that, or try to credential stuff a field that doesn't exist. Users no longer need to remember anything. They don't need a second device because this is all conducted via asymmetric cryptography with a private key in the secure enclave of their device. That eliminates shared secrets, and in doing, so you can actually eliminate account takeover fraud.

So, if you want this future for your users, where there's no password nothing to remember nothing, no second devices to pick up, plus there's no risk of account takeover fraud, you can visit us and learn more or contact us for a demo at www.beyondidentity.com.