Expensify Forces Passwordless on its users and good for them

0
75

For the past ten years, my company has used three very popular customer relationship management, accounting, and office collaboration systems. And security hasn’t changed in the last decade. We still use passwords.

And this is a problem. I keep highly confidential and important information in our systems. My employees make up their own passwords, but we all know how bad we are at coming up with unique passwords, let alone changing them, let alone remembering what we changed them to. I have a password vault, but those platforms sometimes worry me because they have a history of be hacked, which is not very safe. Google and Microsoft have their own password managers but these also don’t seem very secure as they are device controlled and if someone steals a device well that’s a problem.

And yes, many applications now give us the “options” to use a fingerprint or facial recognition and multi-factor authentication. But none of this is required and for me it is difficult to enforce. So I literally let people log into my accounting system over airport Wi-Fi with 123456 as their password. This is not very safe. I know this and I hate it. But there is a better way.

Expense – a popular expense management platform – recently introduced a “passwordless” security procedure. The company’s founder David Barrett likes to use the popular phrase that describes this method of security – “magic links” – when describing their new protocol, but I think he’s just doing it because he’s always been a showman. There’s really nothing magical about it.

In a recent blog, Barrett describes the new procedure for Expensify’s users, which is actually quite simple. Instead of doing the username and password, a user enters their email address or phone number and a one-time, auto-generated, unique “magic link” (or code) is sent via email/text and you’re in. There is still two factor authentication and other advanced security options on top of this procedure for those who want it too.

“Any way you look at it, passwords are a poor solution to an important problem,” Barrett wrote in a recent blog post. “It’s been over a century since speakeasies stopped using passwords in the Prohibition era of 1920. It’s been a long time since we stopped using them to secure our most important financial data.”

Passwordless security is not innovative. It’s not new. It’s not unique to Expensify. But this form of access will soon become the standard. That’s because big tech is all-in.

Earlier this month Apple, Google and Microsoft announced together their plans to expand passwordless login for their websites and applications. They will use a standard created by the FIDO Alliance (an association of security companies that develops and promotes authentication standards) and the World Wide Web Consortium.

As with anything in the world of technology, passwordless security has some flaws. Some experts warn of “interceptor bots” that can grab links when they are sent from the server that generates them. If someone hacked into your email or faked your wireless provider, it’s easy for them to get the magic link. I’m sure future hackers will come up with all sorts of ways to compromise systems without a password.

But if there’s one thing I’ve learned from working in this business for over 20 years, it’s that there’s no perfect security solution. However, logging in without a password is better than what we are doing now. So for me it’s not going fast enough, and I’m afraid these companies won’t be strong enough. At least not as heavy as Expensify.

That’s because Expensify does what all other application providers should do: enforce passwordless access on its users. No choices and no options – except options to add additional layers of security if desired. Of course, users will grumble because no one likes change. But come on… this isn’t that hard and won’t take you long to learn.

As a business owner, you should talk to your IT consultants and managed service providers about implementing passwordless security on your network and require your business application providers to do the same. If you want to set this up yourself, Hitesh Sant from Geekflare offers a great list of passwordless platform providers here.

Then do what Expensify does: force it on your users. It’s tough love and in everyone’s best interest.