3 min read time

The State of Passwordless Authentication – 2023 Edition

by   in Cybersecurity

Some may remember the blog I did last summer on the State of Zero Trust. In that blog I reviewed the evolution of breaches as tracked by Verizon’s annual DBIR report. As usual, the key takeaway from that report was that compromised credentials are the foundation of most attacks. With that key point, I then related how my credentials a have evolved over time. Since that blog, OpenText has sponsored a Dark Reading survey of a 140 IT and cybersecurity professionals. As you can see from this table below, Dark Reading was able to recruit a strong mix of cybersecurity and IT professionals:

CIO/CTO or VP

CSO/CISO

Cybersecurity

Head / Director / Manager

IT or Cybersecurity Staff

Cybersecurity Staff

Other IT

Engineer-ing

18%

6%

19%

9%

17%

29%

The Security Side of Passwordless

In what should be of no surprise, Dark Reading confirms that cybersecurity teams are well aware that credentials are a major component of their vulnerability profile. The survey shows that 90% of them are quite concerned about traditional credentials, and even half of them worked for an organization subjected to one of them. Overall, 8 out of 10 respondents had discovered attacks from outsiders, and they were based on the weaknesses of traditional credentials. The top two vulnerability concerns identified phishing attacks and stolen credentials.

The Business Value of Controlling Risk

Respondents confirmed that on several levels, they see business-centric forces in play for adopting passwordless technologies in their environment. Fundamentally, stronger identity verification is a foundational component of managing the risk of a digital-enabled business. When they can depend on strong identity verification, organizations are empowered to enable more efficient and powerful interactions. These new business models affect not only how they can expand what their internal employees can do but also how they can engage and interact with their consumers at a higher level as more types of digital information can be shared. Organizations can be just as confident of a claimed identity when services are consumed remotely as they are for onsite engagements.

The Business Enabling Side of Passwordless

"Improved user experience" was another big component of why responders viewed passwordless authentication as an important step forward. In fact, that driver came in 2nd to "improved security."

Passwordless authentication's convenience factor is a big one; it's simply much less hassle:

  • No memorization – anyone with an online presence already recognizes this frustrating reality of remembering passwords, especially strong ones. It doesn't take long before people resort to bad credential hygiene in an effort to manage the many online services that they consume. Bad practices like sharing credentials across multiple accounts and using weak or guessable passwords.
  • Lower hassle logins – beyond the complexity of managing traditional usernames and passwords, the simplicity of a quick authentication experience that comes from a fingerprint touch, facial recognition, or even an authenticator app is a stark contrast. The experience is low friction and quick.
  • Reduced errors – yes, typing in credentials can be laborious, but mistyping them is worse. "Did I fat finger my password or is it the wrong one"? Mistyped credentials block access and engagement and are obviously bad for businesses both internally and in consumer-facing. It's bad enough to delay a business process, but a frustrating experience can push customers to competitors. For speed and usability, if done right, passwordless can be a game changer.

 Although I'm not sure how true this is, for me, an unexpected survey result is the perception that passwordless leads to a decreased IT burden; it came in third behind improved security and user experience. Do helpdesk calls managing account lockouts and password reset issues outweigh the cost of passwordless enrollment and administration. It seems like the majority of IT and security personnel believe that it does.

Bringing together both the business-enabling aspect as well as the cost-saving potential of passwordless technologies, a full third of respondents gauged their accumulative effect on the bottom line as big or very big impact. Another third selected minor impact. That's two-thirds of IT and Security professional indicating that they believe that adopting passwordless technologies is good for their business. A noteworthy finding is that the bulk of the discussion around passwordless authentication centers around security.

If you're interested in the report, check it out here. If you're concerned about maintaining usability as you implement new ZT technologies, you may find this white paper, "Is Your Environment Adaptive Enough for Zero Trust?" helpful. The Zero Trust Architecture page has links to other useful information as well.

Labels:

Identity & Access Mgmt
  • Passwordless authentication, driven by biometrics, seems to be the future. I have been asked by countless websites to set it up. No problem on my laptop (fingerprint) or mobile (face), but my desktop doesn't have a biometric scanner of any type so I need to use a password, although auto-filled for me by my password vault.