Going Passwordless: Cybersecurity for the New Decade

The past year has put digital identity challenges, security and passwords under scrutiny. This report explains why passwordless is the future.

Passwords are deeply ingrainetd in all aspects of our digital reality. A year ago, NordPass estimated that the average person had 70 to 80 passwords. And yet, password compromises and shared secrets remain the number-one cause for hacking-related breaches. Now, with the COVID-19 pandemic driving the rapid shift to remote work, coupled with the cybersecurity pressures following a slew of significant cyberattacks in 2020, the urgency to move away from passwords has never been greater.

Organizations are being forced to look closely at password authentication, specifically asked to justify the costs associated with password support, reevaluating the impact on user experience and, most importantly, justifying whether the password is truly doing what it is intended to do – protect the organization from an online attack. Most quickly realize that, no, passwords are antiquated, are a major cause of frustration and, ironically, are risk drivers.

Today, organizations are moving towards passwordless authentication; using advanced technologies such as biometric signatures, hardware tokens, cryptographic keys or PINS to verify users. In a recent report by LastPass, 92% of businesses believe passwordless authentication is the future. In May 2020, Microsoft said more than 150 million people were using passwordless login on Windows every month.

A recent report from HYPR and Cybersecurity Insiders, “The 2021 State of Passwordless Security,” uncovers the key drivers and barriers to passwordless adoption and organizations’ technology preferences. The report surveyed 425 information technology professionals, representing a cross section of organizations of varying sizes across multiple industry verticals, globally, as well as data from Cybersecurity Insiders’ 500,000-member community. The findings shed light on the significant shifts forced by the COVID-19 pandemic and sudden move to remote work, and provides insight into how organizations are grappling with ensuring password security protocols are effective, especially with the increase in cyberattacks. In fact, the FBI reported up to 4,000 new cybersecurity complaints per day; a 400% increase after the onset of the pandemic – and that was only one month after COVID-19 officially was declared a global pandemic.

Passwordless security
2021 State of Passwordless Security

Security Teams Prioritizing Usability

Credential attacks remain the number-one driver of passwordless adoption, according to more than 90% of survey respondents; yet, 64% cite user experience as the reason they’re eliminating the password. It isn’t groundbreaking news that organizations are extremely worried about potential hacks, but the focus on user experience is fascinating. It isn’t often that the security industry prioritizes the end user, so this is an interesting trend to watch.

PUSH Attacks are on the Rise

Once praised as the most favorable and mainstream multi-factor authentication (MFA) method, now, attackers increasingly are taking advantage of PUSH notifications. One in ten survey respondents encountered PUSH attacks, while nine in 10 continue to combat phishing attacks on a regular basis.

Shared Secrets Should not be Shared

The survey revealed that one-time passwords and secret sharing is no longer considered “secure,” with 96% of security practitioners working to eliminate secrets-based authentication. In recent years, the use of secrets sharing has come under fire, with hackers repeatedly finding their way around password-based multifactor authentication (MFA) and regulators pushing to deprecate their usage. That means that the billions of one-time passwords (OTP), two-factor PINs and SMS-based authentications that happen daily will fade into obscurity. All of these methods, once considered table stakes for multifactor authentication, are now on their way out, to be replaced with next-gen, passwordless methods that do not rely on use of a shared secret.

Smartphones and Standards

Seventy three percent of respondents believe smartphones are the most convenient method of authentication, while a whopping 94% want to take a standards-based approach to eliminating passwords. When considering how many proprietary passwordless approaches are out there, it is encouraging to see the emphasis on interoperability. In early 2020, Apple joined category leaders such as Google, Microsoft, Samsung and Mastercard as Fast Identity Online (FIDO) board members. In doing so, Apple made passwordless authentication capabilities accessible to billions of iPhone users by implementing FIDO standards across its iOS and Safari ecosystems.

One Passwordless Login, Many Identities

User authentication and identity have always been tightly coupled together, but that’s rapidly changing. Users have numerous login methods to choose from, while their service providers struggle to maintain multiple identity stores. More than two-thirds (65%) of respondents already use or expect to have multiple identity providers in their organization. Identity fragmentation has been a pain point for businesses, and modern passwordless authentication presents an interoperable solution for simplifying the login experience. This observation fits well within the broader trend of organizations decoupling authentication from identity providers in an effort to reduce identity turmoil and MFA fatigue.

Passwordless is Becoming a Game of Catch-Up

According to the World Economic Forum, cyberattacks rank first among global human-caused risks, and predicts that by 2021, cybercrime will cost the world $11.4 million each minute. Organizations of all sizes are realizing that passwords are an archaic component of security, and their extinction is being accelerated by the shift to remote work; many organizations already have clear project plans and use cases already defined in 2020.

Today, the question is no longer whether to consider passwordless MFA, it’s “How far along are we in our deployment?” It’s no longer about staying ahead of the curve, but about playing catch-up, as adoption is moving  faster than originally predicted.

 

Featured eBook
The 2020 State of Compliance and Security Testing Report

The 2020 State of Compliance and Security Testing Report

A majority of companies utilize third-party vendors for security and compliance testing. However, the increasing number of major breaches show that running annual minimum compliance tests are not enough. Sponsorships Available In the 2020 State of Security and Compliance Report, read how security professionals are working to stay ahead. We compiled data from over 300 companies to better understand ... Read More
Synack
Avatar photo

George Avetisov

George Avetisov is Cofounder and Chief Executive Officer of HYPR, responsible for strategy and execution of the company’s vision. George sets forth the product and technical direction of the company, architect’s sales and marketing strategies, and works closely with team leads to build strong company culture. Under George’s leadership, HYPR has grown to become a leading provider of decentralized authentication with millions of users secured across the globe.

Named Forbes 30 under 30 in 2018, George brings with him a decade of experience in e-commerce, digital payments, and fraud prevention that have served as the foundation for HYPR’s vision.

george-avetisov has 1 posts and counting.See all posts by george-avetisov