The past year has put digital identity challenges, security and passwords under scrutiny. This report explains why passwordless is the future.
Passwords are deeply ingrainetd in all aspects of our digital reality. A year ago, NordPass estimated that the average person had 70 to 80 passwords. And yet, password compromises and shared secrets remain the number-one cause for hacking-related breaches. Now, with the COVID-19 pandemic driving the rapid shift to remote work, coupled with the cybersecurity pressures following a slew of significant cyberattacks in 2020, the urgency to move away from passwords has never been greater.
Organizations are being forced to look closely at password authentication, specifically asked to justify the costs associated with password support, reevaluating the impact on user experience and, most importantly, justifying whether the password is truly doing what it is intended to do – protect the organization from an online attack. Most quickly realize that, no, passwords are antiquated, are a major cause of frustration and, ironically, are risk drivers.
Today, organizations are moving towards passwordless authentication; using advanced technologies such as biometric signatures, hardware tokens, cryptographic keys or PINS to verify users. In a recent report by LastPass, 92% of businesses believe passwordless authentication is the future. In May 2020, Microsoft said more than 150 million people were using passwordless login on Windows every month.
A recent report from HYPR and Cybersecurity Insiders, “The 2021 State of Passwordless Security,” uncovers the key drivers and barriers to passwordless adoption and organizations’ technology preferences. The report surveyed 425 information technology professionals, representing a cross section of organizations of varying sizes across multiple industry verticals, globally, as well as data from Cybersecurity Insiders’ 500,000-member community. The findings shed light on the significant shifts forced by the COVID-19 pandemic and sudden move to remote work, and provides insight into how organizations are grappling with ensuring password security protocols are effective, especially with the increase in cyberattacks. In fact, the FBI reported up to 4,000 new cybersecurity complaints per day; a 400% increase after the onset of the pandemic – and that was only one month after COVID-19 officially was declared a global pandemic.
Security Teams Prioritizing Usability
Credential attacks remain the number-one driver of passwordless adoption, according to more than 90% of survey respondents; yet, 64% cite user experience as the reason they’re eliminating the password. It isn’t groundbreaking news that organizations are extremely worried about potential hacks, but the focus on user experience is fascinating. It isn’t often that the security industry prioritizes the end user, so this is an interesting trend to watch.
PUSH Attacks are on the Rise
Once praised as the most favorable and mainstream multi-factor authentication (MFA) method, now, attackers increasingly are taking advantage of PUSH notifications. One in ten survey respondents encountered PUSH attacks, while nine in 10 continue to combat phishing attacks on a regular basis.
Shared Secrets Should not be Shared
The survey revealed that one-time passwords and secret sharing is no longer considered “secure,” with 96% of security practitioners working to eliminate secrets-based authentication. In recent years, the use of secrets sharing has come under fire, with hackers repeatedly finding their way around password-based multifactor authentication (MFA) and regulators pushing to deprecate their usage. That means that the billions of one-time passwords (OTP), two-factor PINs and SMS-based authentications that happen daily will fade into obscurity. All of these methods, once considered table stakes for multifactor authentication, are now on their way out, to be replaced with next-gen, passwordless methods that do not rely on use of a shared secret.
Smartphones and Standards
Seventy three percent of respondents believe smartphones are the most convenient method of authentication, while a whopping 94% want to take a standards-based approach to eliminating passwords. When considering how many proprietary passwordless approaches are out there, it is encouraging to see the emphasis on interoperability. In early 2020, Apple joined category leaders such as Google, Microsoft, Samsung and Mastercard as Fast Identity Online (FIDO) board members. In doing so, Apple made passwordless authentication capabilities accessible to billions of iPhone users by implementing FIDO standards across its iOS and Safari ecosystems.
One Passwordless Login, Many Identities
User authentication and identity have always been tightly coupled together, but that’s rapidly changing. Users have numerous login methods to choose from, while their service providers struggle to maintain multiple identity stores. More than two-thirds (65%) of respondents already use or expect to have multiple identity providers in their organization. Identity fragmentation has been a pain point for businesses, and modern passwordless authentication presents an interoperable solution for simplifying the login experience. This observation fits well within the broader trend of organizations decoupling authentication from identity providers in an effort to reduce identity turmoil and MFA fatigue.
Passwordless is Becoming a Game of Catch-Up
According to the World Economic Forum, cyberattacks rank first among global human-caused risks, and predicts that by 2021, cybercrime will cost the world $11.4 million each minute. Organizations of all sizes are realizing that passwords are an archaic component of security, and their extinction is being accelerated by the shift to remote work; many organizations already have clear project plans and use cases already defined in 2020.
Today, the question is no longer whether to consider passwordless MFA, it’s “How far along are we in our deployment?” It’s no longer about staying ahead of the curve, but about playing catch-up, as adoption is moving faster than originally predicted.