Hackers don’t just break in. Sometimes all they need to do is log in. Which is easy, given the state of password security today.
The most common identity and access management (IAM) approach—username and password—hasn’t been doing a good job for a long time. Hackers launch an average of 50 million password attacks every day, or about 580 per second. Approximately 60% of data breaches are attributed to compromised credentials, according to Verizon.
The average cost of a data breach is estimated at $4.2 million, with compromised credentials taking top honors for the most common attack vector, accounting for 20% of all breaches. What’s more, password resets are a top reason workers call IT help desks, and that costs companies up to $70 for each call, Forrester estimates. Large U.S. organizations allocate more than $1 million annually for password resets.
Bill Gates famously predicted the demise of passwords 18 years ago. Yet somehow, despite multiple industry efforts to find better alternatives, usernames and passwords remain in place in most
But that could finally be changing now that business leaders are recognizing the limits of password security. With authentication tools improving and zero trust becoming the dominant cybersecurity model, more organizations are starting to implement passwordless approaches, such as multifactor authentication (MFA), biometrics, and single sign-on (SSO) tools.
And with cyberattacks on U.S. businesses and critical infrastructure expected to intensify following Russia’s invasion of Ukraine, the White House and Cybersecurity and Infrastructure Security Agency are strongly urging public- and private-sector organizations to require authentication methods that don’t rely on passwords.
“The push toward passwordless security is very, very real,” says Frank Dickson, a program vice president in IDC’s cybersecurity and trust research practice. “Organizations aren’t going to chuck passwords overnight because doing so is complex. But many are on that path, including some of the biggest names in tech.”
A new strategic priority in password security
The trend among big tech companies is toward a future free of passwords. Microsoft has allowed commercial users to log into their accounts without passwords and has even told people to get rid of passwords altogether. Google similarly moved to phase out passwords by making two-factor authentication using a phone the default for Google accounts. And Apple, with facial recognition in
its computers and smartphones, committed to axing passwords in 2020, just as the pandemic was ramping up.
When we hit our stride with this, it’s really going to be a game changer.
It’s not just those technology behemoths leading the way. In fact, 85% of IT and cybersecurity professionals say the adoption of password-free security is among their top strategic initiatives, according to an Enterprise Strategy Group (ESG) report.
One of those leaders is Kurt John, chief cybersecurity officer for Siemens USA, who oversees security policy for 40,000 U.S. employees. John told Endpoint that his organization, like many, has been frustrated with the cost and complexity of managing usernames and passwords. Requiring employees and customers to regularly change credentials leads to a poor user experience, as well.
Siemens is evaluating passwordless authentication as part of a zero-trust program for information technology, operational technology, and products. Zero trust assumes every person and machine is a potential threat unless proven otherwise.
John foresees applying a blend of biometrics technologies (like Windows Hello), analytics, and artificial intelligence to authenticate employees before they are granted network access.
“We’re still a ways off, but when we hit our stride with this, it’s really going to be a game changer,” he says.
Single sign-on and other advice from the trenches
Taking one’s time is a common theme for organizations mulling a move to passwordless security.
Most experts warn against trying to do too much too soon with
a no-password strategy. Rather, they suggest starting with small
pilot projects and testing to see what works with legacy systems—
as well as employees, customers, and partners, whose feedback can reshape programs.
The issue is, everyone will try to lock you into their ecosystem.
“You want to get a grasp for how the technology works and a feel for the end-user experience, both during enrollment and in regular use,” says Schaufenbuel. “Then slowly expand the pilot until you feel comfortable enough to tackle a full-scale deployment.”
There are, it turns out, prudent ways to strengthen the use of passwords during this transitional period. IDC’s Dickson outlines approaching passwordless projects in stages. First, he suggests giving users a management tool to control the “password chaos” in their organizations. That may seem the opposite of going passwordless. But he believes it’s necessary to have credentials in one place in order to get rid of them.
Next, Dickson says, organizations should adopt a single sign-on tool, which stores passwords and eliminates the need for employees to continually update and track them. An SSO is particularly useful for accessing business and consumer software-as-a-service (SaaS) applications, he adds.
“We’ve gone from chaos to a password vault to a single sign-on with two-factor authentication,” Dickson says. “And, suddenly, our experiences are getting better.”
The third step involves auditing identity and access rules. Not every employee, he notes, requires access to every nook and cranny of corporate networks. Some require little more than the ability to download Office 365 and a few financial and human resources
tools to do their jobs. Organizations, therefore, need to ration their IT assets on a “need-to-see” basis.
Last up is dumping passwords, Dickson says. Eventually the organization’s IT systems, employees, and devices will operate, for the most part, without the need to ever enter a password.
Beware of easy answers to password security
Many vendors now pitch passwordless solutions that presumably offer one-stop MFA or zero-trust capabilities for organizations eager to go all-in sooner than later. In fact, some promising startups are attracting eye-popping venture capital investments based on that accelerated approach.
But John of Siemens warns enterprises against jumping at such offerings too quickly. “Don’t just pick the first passwordless solution that comes along,” he says. “You want to do your due diligence and study all your available options.” He recommends thinking through your medium- and long-term strategy: “Some of those solutions will give you short-term gain but will have diminishing returns for your goals,” he says.
Doug Cavit, CISO for Containn, a software company that helps organizations build and deploy secure multicloud infrastructure, also warns against hastily buying into any single vendor’s ecosystem. Yes, the argument is still valid that pieces of a puzzle fit together better if they come out of the same box. But if your back-end legacy systems don’t fit their infrastructure, a passwordless platform may not work very well.
“The issue is, everyone will try to lock you into their ecosystem,” Cavit says. “But if I’m less homogenous, which is true of a lot of enterprises, I’d rethink going in that direction.”
Methods of passwordless authentication: Smartphones as roaming keys?
Many organizations believe the future of password-free security—beyond the single sign-on, the access audits, and other adjustments—lies in using smartphones as roaming authenticators. The FIDO Alliance, an industry association focused on secure authentication, has been working on such technology over the past 10 years. Its latest FIDO2 and WebAuthn passwordless standards would integrate cryptographic capabilities for secure logon into websites, corporate networks, and devices.
New passwordless technologies and approaches are coming along that are just better.
Users would log on to their own devices using biometrics like facial or fingerprint recognition. Bluetooth, meantime, would confirm the user’s physical proximity. If a smartphone owner lives in Austin, Texas, but a login seems to be coming from Biloxi, Miss., the device could note the discrepancy and block site access. Theoretically, this would minimize phishing threats, since they often rely on stealing passwords, a hack that would be eliminated.
Of course, the FIDO approach has its doubters. Some security experts complain that FIDO2 would force users to carry around devices all the time to log into networks. Others, such as Richard Stiennon, IT-Harvest chief research analyst, note that if hundreds of digital certificates are stored on a device and a user loses it—and 70 million smartphones are reportedly lost every year—that makes things tricky.
“If it’s something you use at work, then what do you do?” Stiennon asks. “Do you report it to everybody? To your employer? Maybe that’s not a problem. But what if you’re the phone company? Do you then have to tell a bank when the phone is lost with their IP on it?”
Passwordless security is unlikely to become the dominant authentication approach overnight, experts say. But they do think that after decades of talking the talk, organizations are finally walking the walk.
“I’m ready to say passwords are going away,” declares Stiennon. “I’m not saying that because they are absolutely bad. They’ve served a purpose. I’m saying that because new passwordless technologies and approaches are coming along that are just better. And over time, you won’t need passwords anymore for logging in.”