COVID-19 Could Catalyze Passwordless Authentication

Passwords have always been a weak link in security, but people are so used to them that getting them to change to a more secure form of authentication has been a difficult task. Could COVID-19 be the catalyst that ends up ushering in passwordless access?

The push is slowly happening. Gartner predicts that 60% of enterprises and 90% of midsize businesses will move to passwordless authentication by 2022. Although it has been discussed as option for years, there has been an uptick in interest in the technologies since 2018, according to Ant Allan, Gartner vice president analyst.

Many organizations see passwordless as improving the user experience for their customers. Users want less friction in their interaction with a company; having to remember unique passwords is an inconvenience. Consumers will go where they have the easiest transaction experience.

The good thing about passwordless is that it offers choice, said Rob Otto, field CTO with Ping Identity, in a recent webinar. Passwords are not only the lowest common denominator solution, they are almost always the only solution.

With passwordless, users can choose the option that works best for them, such as FIDO, soft tokens via mobile or a text message, to name a few. (Although Otto did warn that the SMS option is the least secure of all passwordless authentications, yet it is the most popular because mobile phones are handy and familiar.)

Remote Workers and Risky Password Use

From a security point of view, poor passwords and credential theft are involved in 80% of hacking incidents, according to the Verizon Data Breach Investigations Report. And with many employees working from home, either long-term temporarily or permanently, the risk of a password-caused breach increases. CyberArk looked at the habits of the remote workforce in a new study and found that convenience outweighs security, especially for parents juggling childcare, schooling and work responsibilities. Convenience means using the same password, with 93% admitting they reuse their password over numerous applications, devices and accounts, and 37% said they just save their passwords in their browsers when using their corporate device.

“As more organizations extend work-from-home policies for the long-term, it’s important to capture lessons learned from the initial phases of remote work and shape future cybersecurity strategies that don’t require employees to make tradeoffs that could put their company at risk,” CyberArk’s CMO Marianne Budnik said in a formal statement.

By turning to passwordless authentication, organizations decrease the risk of those overused passwords being compromised and the risk of a data breach. Also, as more companies make the digital transformation—a must in a WFH environment—passwordless improves security and efficiency over multiple devices.

Passwordless Means More Secure Connections

If passwordless authentication is supposed to improve the customer experience, it should also be used to promote an easier and more secure user authentication for remote workers.

That’s the opinion of Frank Dickson, a program vice president with IDC, pointing out that passwordless makes it easier to access business cloud applications directly and securely while bypassing the need for VPNs and network connections. “By going with passwordless authentication, I give users a better experience, deliver greater security, and decrease the number of people I have accessing the network,” he said in an interview with Dark Reading.

COVID-19 showed many IT workers another reason to advocate for passwordless authentication. Many companies use password systems that automatically expire passwords after a specific time period—normally 30 or 60 days. Furloughed workers returned to their offices to find they couldn’t log in because their password expired, overwhelming IT departments with resets.

Passwordless authentication is a positive step forward for WFH security and protecting corporate data, but as Otto stated, it isn’t a panacea for every authentication need. Some apps are higher risk, he said, and shouldn’t have passwordless, at least not as a standalone authentication source. Some applications, including anything connecting to a financial account or highly sensitive data, should still require 2FA or MFA, and yes, one of those can be a password. But overall, passwordless authentication will allow a better user experience for remote workers while keeping the network and data more secure.

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba