Enterprises Move Toward Passwordless, But There’s a Long Way to Go
Stop me if you’ve heard this one before: Next year is the year we will finally eliminate passwords.
That statement has been a staple of annual cybersecurity predictions for at least a decade, but could 2023 actually be the year that we see a major shift toward the passwordless workplace?
Digital Identity thinks so. They predicted that by the end of 2023, 80% of Fortune 500 companies would have the processes and budgets in place to make the leap away from passwords, and half of these companies will be implementing the changes in remote access and operating systems authentication as they are the two areas most commonly targeted.
Many companies already use some sort of passwordless authentication, most often as part of a 2FA or MFA solution. Passwords are still required, but the second form of authentication usually requires a passcode or PIN. However, threat actors are already compromising these methods.
Organizations want to find new authentication methods because passwords and passcodes aren’t doing their job anymore. The security around them is flimsy, and stolen or compromised passwords remain one of the top causes of security incidents. But is going passwordless feasible or is it just an impossible dream?
The Alternatives to Passwords
Before we get rid of passwords, we need something else to take their place.
“There are typically two components involved in passwordless authentication—a private ‘key’ that stays with the user and a biometric,” explained Mike Engle, chief strategy officer and co-founder of 1Kosmos, in an email interview.
The key is stored locally on the user’s device, like a phone or laptop, and it stays in the user’s control. The biometric option covers technologies such as touch ID, face ID or taking a live selfie (live ID).
“Together,” said Engle, “These components represent two factors that cannot be easily stolen or phished from the end user.”
Making Passwordless a Reality
As technology advances, authentication will upgrade in progressional tandem. “Organizations that can easily adopt emerging technology without having to rip and replace legacy infrastructure will find it far easier to embrace passwordless authentication,” Timothy Morris, chief security advisor at Tanium, said via email commentary. “For example, as more organizations make the move to the cloud, passwordless authentication becomes a much more attainable reality.”
Passwordless deployment will come in a phased approach, Engle predicted, where users will be gently encouraged to follow the path. But, he added, once they start their passwordless journey, they won’t ever return to the previous authentication method.
Where we’re most likely to see passwordless deployed first is on a VPN or remote access portal for employees or the main log-on page for customers, he explained.
“For employees,” said Engle, “putting passwordless on the operating system and in front of the existing SSO system, such as Okta, Ping, Forgerock, Active Directory, Azure, Siteminder, etc., will result in an 80% reduction in passwords for all users.”
When Will Passwordless Happen?
As with most technology evolutions, change won’t happen all at once; it will take time for adoption to spread. Perhaps large enterprises will make a move toward passwordless authentication in 2023, but we’re not going to see widespread adoption just yet.
“While significant strides have been made with regard to the consumerization of IT, the unfortunate reality is that there are still a multitude of technologies that are using old authentication systems and haven’t adopted single sign-on or the use of biometrics,” said Morris. “Progress will continue and some applications may move to adopt passwordless authentication, but there’s no way my password manager will be empty come 2023.”
And even though organizations are looking for ways to eliminate the security risks that come with weak passwords and cut down on password-related IT tickets from employees, passwords are going to be here for the foreseeable future.
“Every website, native application, system and database still requires passwords at some level—even if passwordless solutions are used for convenience,” said Darren Guccione, CEO and co-founder at Keeper Security. “The fact is that robust encryption keys cannot be generated without a password. Even single sign-on solutions require a password at some level in the architecture to authenticate a user—prior to the user transacting with SAML-compliant authentication services.”
Passwordless technologies are a feature that can improve the user experience, Guccione added, but they are not a wholesale password replacement.
“To be sure, the latest innovations are brilliant and more will appear, but it is just not realistic to believe that passwords will disappear in 2023 or anytime soon,” Guccione said. “The reality is that passwords are essential to the way our connected devices operate and, given the billions of websites and companies that require passwords, we are a long way off from a true passwordless future.”
