Is passwordless authentication actually the way to go?

Experts reckon that passwords are no longer a secure method of identity verification.
6 May 2021

World Password Day: Is passwordless authentication actually the way forward?(Photo by Philippe HUGUEN / AFP)

  • Although completely eliminating passwords may be impossible, a passwordless approach could be the answer to many authentication and security challenges
  • Passwordless authentication also increases workplace productivity as employees no longer need to spend time inputting and changing passwords

World Password Day has got us thinking – simple authentication methods are inherently vulnerable to cyber attacks. The consequences of using only username-and-password combinations are well known for they are easily compromised and difficult to manage, costing enterprises billions of dollars annually. Tech and security analysts predict enterprises will shift to passwordless authentication for users to stay digitally secure in the future.

All these years, users are inundated with passwords in their personal and professional lives. Password reset requests comprise a lion’s share of IT help desk tickets, resulting in lost productivity for users and increased support costs for the business. Looking back in the last two decades, multi-factor authentication (MFA) has matured as a necessary additional layer of security to the primary password authentication. 

The password primary authentication and the MFA secondary authentication became imperative as password theft and data dumps became routine. The humble single-factor password, going on 60 years of existence, simply hasn’t stood the test of time. In 2019, an anonymous creator released 2.2 billion usernames and passwords freely across attacker forums, known at that time to be the largest collection of breaches.

A year ago, NordPass estimated that the average person had 70 to 80 passwords. And yet, compromised passwords and exposed credentials remain the number-one cause for hacking-related breaches. Now, with the Covid-19 pandemic driving the rapid shift to remote work, coupled with the cybersecurity pressures following a slew of significant cyberattacks in 2020, the urgency to move away from passwords has never been greater.

Advances in secondary factors, from the proliferation of smartphones to the consumerization of biometrics, have led many to question the need for and the use of the password at all. If strong identity authentication is based on multiple factors, and passwords are the most vulnerable factor, why even require them? This realization has led the industry to move toward replacing passwords altogether with more secure, simplified methods of authentication.

In fact, Gartner Research predicts that by 2022, 60% of large and global enterprises, and 90% of midsize enterprises (MSEs), will implement passwordless methods in more than 50% of use cases, which is an increase from fewer than 5% at this point.

What is passwordless authentication first of all?

Passwordless authentication establishes a strong assurance of a user’s identity without relying on passwords, allowing users to authenticate using biometrics, security keys, or a mobile device. Duo is innovating toward a passwordless future that balances usability with stronger authentication. Passwordless gives users a frictionless login experience while reducing administrative burden and overall security risks for the enterprise.

Where to start?

Pairing passwordless technology with strong MFA to protect access across the cloud and on-prem is a practical way to provide the broadest security coverage today, according to Duo. “With MFA in place, you can reduce your reliance on passwords and modify password policies to require less frequent resets, alleviating help desk burden and reducing user frustration,” it added.

Duo recommends taking a phased approach to providing secure access for the workforce, with each step taking a user closer to a fully passwordless future. The steps include identify passwordless use cases and enable strong authentication; streamline and consolidate authentication workflows and optimize the passwordless toolset.

Gartner research vice president Peter Firstbrook reckons that “In an effort to combat hackers who target passwords to access cloud-based applications, passwordless methods that associate users to their devices offer increased security and usability, which is a rare win/win for security.”