What’s Holding Back Passwordless Authentication?


Passwords pretty much control our digital lives. But remembering all your various online account details can be difficult. The average user now has 25 per cent more passwords than they did before the pandemic began.

As data breaches are increasing, credentials are one of the most sought-after information for hackers. According to experts, passwords open doors for hackers to steal information and phishing, and go past security defences perimeter and stay hidden inside corporate networks.

Credentials are the primary means by which a bad actor hacks into an organisation, according to a Verizon report, with 61 per cent of breaches attributed to leveraged credentials.

Passwords with privileged access to organisational systems and networks are targets for hackers since they’re able to get so much information from just one source. In fact, the threat actor behind the SolarWinds hack was able to guess the passwords of many victims as they did not use a password manager to generate strong, complex passwords.

With hackers and cybercriminals using advanced and sophisticated technologies to disrupt enterprise data and applications, it is vital for businesses to move beyond passwords, said Morey Haber, chief security officer, BeyondTrust.

“Authentication models for end users can be single-factor, two-factor, or multi-factor based. Single-factor authentication is based on a simple username and password combination; two-factor is based on something you have and something you know, and this includes something you know like a username and password from a single-factor and something you have like a mobile phone or two-factor key fob. Multi-factor authentication goes one step further and uses additional attributes like biometrics to validate an identity for authentication.”

“But the flaw with all of these models is a password. It can be shared, stolen, hacked, and is the biggest risk to a business when compromised. So, it is important for businesses to replace passwords with something that can be changed, but cannot be shared or hacked as easily as a password,” added Haber.

Concurring with Haber, Yossi Naar, Chief Visionary Officer and Co-founder of Cybereason said: “Passwords are hard to remember, often reused, and easy to steal and bypass. In general, no one should ever trust their passwords and never, ever reuse them.”

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second — that’s 18 billion every year, said Microsoft in a blog.

No business is immune to hacking, with Alibaba, Volkswagen, LinkedIn and Facebook being at the receiving end of hackers. Not to forget, the average cost to a company that suffers a data breach is $3.86 million.

In the post-pandemic era, experts say, passwordless adoption will pick up speed due to a surge in the use of consumer online services and hybrid work. Microsoft announced a passwordless solution for business customers recently.

But there remain several barriers to passwordless adoption. And, according to Naar, “One of the biggest barriers is that there are many legacy devices, infrastructure and frameworks, as well as regulations in some cases that specifically require passwords.”

“Also, what makes it more challenging to move beyond passwords is that IT teams at many companies adopt extremely stringent password policies that can be counterproductive. When you force employees to adhere to strict password policies and require them to change passwords too often, they will tend to use simpler passwords and ones that will most easily comply with the company’s policy,” added Naar.

While there’s a lot of buzz about using biometric information — fingerprints, iris and facial recognition, and other unique physical characteristics — to authenticate, they aren’t a foolproof solution for preventing account takeover and other forms of fraud.

In fact, by authenticating with a physical attribute that the user can’t change or reset, the stakes become much higher if attackers find a way to hack the system.

According to Haber, the biggest barrier to passwordless adoption is the current methods to replace them. “Modern approaches use biometrics, which cannot be changed; algorithms based on behaviour, which have data privacy and legal implications; and active monitoring like typing speed are generally proprietary or don’t work correctly due to temporary physical ailments.”

“The goal is still to have something you have and something you know. The barrier is replacing something you know that is universally recognised, not shareable, and difficult to compromise. The closest thing to that today are ephemeral or just-in-time passwords that limit exposure, but in the end, they are still passwords.”

“And, with the need to support legacy applications, a more radical change will be needed in the future to eliminate them rather than just finding a substitute,” added Haber.

Another hindrance to the adoption of passwordless authentication is the high cost. Businesses with a large user or customer base find that rolling out passwordless technology is fairly expensive, apart from the costs involved in issuing replacement devices or tokens, if applicable.

To have a world without passwords, it’s vital for more solution providers to give customers the ability to set up all passwordless authentication methods and also recover from lost devices, without performing the traditional password and multi-factor authentication.

And for businesses, it’s imperative to take the next step in identifying the right user segments that can go passwordless and then start its own journey to go passwordless, whether that’s moving forward in piloting a new authentication method or testing FIDO2 security keys across workloads.

If you liked reading this, you might like our other stories

Challenges Of Keeping An Eye On Mobile Security
The Eagle Has Landed