In the first nine months of 2020, passwords accounted for 29.4% data types exposed in breaches, behind only email addresses and names.
Between March and October, the number of corporate credentials with plaintext passwords exposed on the Dark Web increased by 429%.
Finally, reused passwords remain the most vulnerable data type for potential breaches, accounting for 93.1% of human risk factors.
Clearly, organizations need a better, stronger alternative to dangerous password-based security. The answer: passwordless authentication.
In this article, we explore why organizations should go passwordless.
Why Organizations Struggle To Go Passwordless
By 2022, 60% of large enterprises, and 90% of midsize firms will go passwordless for over 50% of use cases. But presently, many organizations struggle to do so. Here’s why.
For many companies, passwords are embedded in legacy systems that use old protocols and identity stores like LDAP for password authentication. Although it is possible to eliminate passwords even in legacy systems, organizations rarely consider this option, and still rely on password-based authentication.
Even organizations with multi-factor authentication systems retain regular passwords as one authentication factor on top of another like a one-time password. Such systems, with passwords patched with other “what you know” factors, involve running costs that mount over time. Further, they can be circumvented by phishing to steal these credentials, increasing the org’s vulnerability to bad actors. This can have multiple repercussions including financial costs, compliance-related punitive measures, loss of clients and a damaged reputation.
Many modern devices now support unlocking using biometric methods like facial recognition or fingerprints, such as FaceID or TouchID in iPhones. Although safer than password only-based systems, these methods are also not 100% secure. Clever hackers can reverse engineer biometrics. Since compromised biometrics are compromised for life, there is no way to undo the damage, or safely reuse these credentials for other systems. Some devices support physical security keys to keep their contents secure. This method eliminates the need to remember multiple login details and passwords. However, software flaws in the keys could expose weaknesses that hackers could exploit. Moreover, a key requires an additional security step for authentication, which can become impractical if multiple systems or websites need to be accessed several times each day. Finally, physical tokens can get lost or stolen, once again leaving users vulnerable to data losses or worse.
However, organizations can avoid all these issues by deploying an authentication mechanism that’s more secure than password-based authentication and more convenient than MFA: passwordless authentication.
Truly Fully Passwordless vs. Passwordless Experience
Some so-called passwordless solutions, such as Single Sign-On (SSO) don’t completely eliminate passwords. Instead, they “hide” the password in the user’s experience, while using it in the background for authentication. This is known as a “passwordless experience”. With such a solution, a user only has to remember one password, the master password. Although this is an advantage for the user, it still does not solve the basic problem of reduce the risk of password-based authentication cyber attacks the most common cyber-attacks (e.g., phishing or social engineering).
A truly fully passwordless authentication solution does not simply hide passwords but eliminates them entirely. It is based on other strong factors like possession (ownership) and inherence, rather than weaker knowledge-based factors. Organizations that go passwordless have a more robust and reliable authentication mechanism and can effectively and permanently eliminate threats like phishing and credential stuffing that are common with password-based authentication.
Benefits for Organizations that Go Passwordless
When they go passwordless, organizations can implement enhanced identity governance and more granular access control with a stricter zero-trust policy and architecture. They get greater visibility into when, how, where and who can use a claimed identity to access a resource. By driving suspicious users to additional verification, the solution ensures a more secure working environment for both employees and IT staff.
They also eliminate the burden on users to periodically create and remember new passwords, thus ensuring seamless user experiences. The support effort and Total Cost of Ownership (TCO) for IT departments also reduces, since they can eliminate productivity-killing tasks like user account creation, password management and password resets.
Companies can use the time spent on documenting, managing or implementing password complex policies on more productive, value-added tasks to grow and improve their competitive position.
And finally, with a zero-trust passwordless authentication and authorization system like IDEEAuthN™, they can simplify auditing and satisfy industry-related regulatory and compliance requirements at no additional cost.
If you are working in an enterprise and need some more reasons to make the transition to passwordless authentication, have a look at our continuing article “5 Compelling Reasons for Enterprises to Go Passwordless“.
The Future is Passwordless, The Future is IDEE AuthN
In today’s expanding cyberthreat landscape, organizations can’t afford to rely on password-based authentication systems to protect their IT infrastructure. IDEEAuthN eliminates passwords and credential databases, and offers a more secure, cheaper and future-ready method for a range of use cases. With passwordless Absolut™ zero-trust authentication, IDEE AuthN is more secure than two factor authentication with password vaulting and even passwordless MFA. To know more about IDEE AuthN, download a free report here.