Will Organizations Move Beyond Passwords in 2020?
Passwords have always been a weak link in security, but people are so used to them that getting them to change to a more secure form of authentication has been a challenge. The shift however, is eventually happening, with more people flocking to online services and working remotely, thanks to the COVID-19 pandemic. Experts believe, to reduce the risk of breaches from compromised credentials, many organizations will adopt passwordless authentication methods, such as biometric data like fingerprints or eye scans in the coming months.
From a security point of view, poor passwords and credential theft are involved in at least 80% of hacking incidents, according to a Verizon Data Breach Investigations Report. And with many employees working from home, either long-term temporarily or permanently, the risk of a password-caused breach increases. As more organizations extend work-from-home policies for the long-term, many organizations see passwordless as improving the user experience for their customers.
Gartner researchers see the push is already happening, albeit slowly but will pick up pace in the coming months. With users wanting less friction in their interaction with a company; having to remember unique passwords, a Gartner report predicts that 60% of enterprises and 90% of midsize businesses will move to passwordless authentication by 2022.
While eliminating passwords has been a long-standing goal, it is finally seeing real traction in the marketplace, believes Ant Allan, Vice President Analyst, Gartner. “By 2022, Gartner predicts that 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than 50% of use cases,” she said.
Going for a passwordless future
By turning to passwordless authentication, organizations decrease the risk of those overused passwords being compromised and the risk of a data breach. Also, as more companies make the digital transformation passwordless improves security and efficiency over multiple devices. This is essential in a work from home environment.
Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organizations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organizations, there’s no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.
“Passwords lead to maximum cases of data breaches and hence are no longer the primary method of authentication. Hence, it is important to employ a Multifactor Authentication approach for all their devices,” said Vikas Bhonsle, CEO at Crayon Software.
Biometric authentication such as touch ID is a common way of going passwordless. Other options include passwordless knowledge methods, such as pattern-based, one-time password methods; tokens, including phone-as-a-token modes, as a single factor; and Fast Identity Online (FIDO) Universal Authentication Framework (UAF), which enables passwordless authentication through a method local to a person’s device. Current mainstream strong authentication solutions are two-factor authentication or multi-factor authentication solutions that add some kind of token to an existing password.
Gurpreet Singh, Managing Director at Arrow PC Network agrees that passwords have become the passé. “Multifactor authentication helps to minimize the impact of stolen credentials. Though education and training are important in raising employee awareness, putting effective tools in place – like a password manager and multi-factor authentication – ensure that best practices are default and embedded into the company’s security culture,” he said.
Not without risks
While passwordless authentication comes with its own security risks, there are ways by which even the most seemingly secure methods of authentication can be compromised. For example, hackers can reproduce fingerprints on prosthetic fingers or gloves, digitally reconstruct faces, and hijack SMS-based and email-based authentication, as it has been seen in the past. As Singh believes, it is up to companies to ensure that they keep employee and customer’s security among their highest priorities do their best to secure user data with their best practices. Also at the end of the day, users are the ones who are responsible for how they use and store their data.
Moreover, Gartner analysts stated that ‘passwordless’ isn’t a panacea for every authentication need. For instance, some applications, like a financial account or highly sensitive data, should still require multifactor authentication with one of those being a password.
So, even though it’s not always possible to completely eliminate passwords from legacy implementations, experts recommend that organizations will have to move beyond just password to more robust authentication methods that will allow a better user experience for remote workers while keeping their network and data more secure.