The Path to Passwordless Authentication Is Shorter Than We Thought

Passwords are a problem, and relying on them for user authentication is problematic. This has been an accepted truth in the infosec community for some time, yet credential-based methods are still ubiquitous.

The average person now has dozens of personal and business username/password combinations to keep track of and recycles those same passwords across multiple accounts, creating endless opportunities for exploitation and compromise. Why does this culture of poor password security persist when the options for passwordless authentication have never been stronger,cheaper or easier to use? What considerations are preventing IT teams that design identity management programs from implementing new methods?

A new Enterprise Management Associates (EMA) study on the identity management programs of 200 security professionals revealed that, when it comes to the design and implementation of identity management, people have good reasons for behaving the way they do. And while the majority of organizations still rely on username-and-password schemes for authentication, they’re aware of the pitfalls and devising plans to go passwordless.

Passwords Are Prevalent and Problematic

EMA queried security leaders on their identity management programs to understand the baseline behaviors and policies in place for authentication. The research found that passwords are prevalent, with 64 percent of organizations relying on them as a primary form of authentication. It also revealed that passwords are problematic, with 90 percent of organizations saying they had experienced a significant password policy violation in the last month.

Those violations came with severe consequences for the organizations, as 71 percent of survey respondents were able to directly correlate policy violations to specific penalties — including employee terminations, malware infections, compromised data, inability to meet regulatory compliance objectives, loss of customers and direct impacts to revenue generation.

Below are some highlights from the EMA report:

Which of the following types of authentication are currently in use in your organization?

EMA Research Report authentication methods chart

Which of the following occurred due to a violation of your organization’s access management policy?

Chart from EMA Research Report showing results of violation to access management policy

Approximately what percentage of employees in your organization have violated each of the following business password policies in the past year?

Chart showing percentage of employees who have violated password policies

The Move to Passwordless: Planning for What’s Next

All of this damning data on passwords begs the question: If passwords are so problematic, why are they still so prevalent? EMA found that most organizations feel passwordless authentication methods are more secure than passwords. But the reasons for hesitating to adopt them were based on concerns spanning from people to processes.

Security leaders cited concerns about user training as well as integration with other management tools as the top worries holding them back from an investment in passwordless technology. Behind security management concerns, integration with cloud services and directory services emerged as top blockers for adoption.

Below are some additional findings:

Overall, which of the following best describes your impression of passwordless authentication processes as compared to traditional password-based authentication processes?

Chart showing survey responders' impression of authentication methods

Indicate how technically challenging you believe each of the following would be for your organization to implement completely password-free authentication processes.

Chart showing perceived challenges with password-free authentication

The Battle of Security Versus Convenience Is Over

There has long been a perception that authentication is a trade-off between two competing objectives: enterprise security and end user convenience. But that trade-off may no longer be necessary. In fact, biometric authentication methods such as facial recognition, thumbprints and retinal scans are seen by IT leaders as accomplishing both goals at once.

Furthermore, the EMA research indicated that decreasing the amount of friction imposed on authentication processes proportionally increases the level of security. Organizations that reduced friction in the authentication process saw a reduction in administrator time and efforts. In this way, low-friction, passwordless authentication approaches effectively align user and business requirements.

Average productivity improvement for types of authentication versus their perceived level of security

Average productivity and security levels for identity elements

Clearing a Path to Passwordless Authentication

While organizations are more aware of the value of low-friction authentication, the chief inhibitor to passwordless solutions is the complexity of their deployment. In other words, many organizations are reluctant to introduce passwordless authentication because they believe it will be challenging to deploy or disruptive to business operations.

To help IT and security managers select the most effective solutions, EMA recommends using the four I’s to evaluate options for passwordless authentication:

  1. Intuitive— Solutions should be easy to onboard and simple to manage, requiring little or no end user training or administrator time to support.
  2. Informative — Holistic visibility should be enabled across the entire identity ecosystem to collect contextual data on users, devices, networks and hosted services. Information reports should be easily digestible to simplify the identification of potential risks or challenges to user experiences.
  3. Intelligent — Solutions should have intelligence technologies — such as analytics, machine learning and language processing — that collect identity data to determine the level of risk associated with enabling access. The number of authentication factors presented to the user should be dynamically determined based on the identified level of risk.
  4. Integrated — Solutions should leverage industry standards such as FIDO, SAML and Open ID Connect to enable integrations between authentication technologies and hosted services. Direct integration with service, system and security management platforms will further simplify administrative tasks and help consolidate access policy management.

To see more insights on the state of today’s identity management, register to download the “Full-Length EMA Research Report: Passwordless Authentication.”