Our recent survey, conducted in conjunction with SC Magazine, shows that organizations are moving towards a passwordless future. The results show that while 36% of IT decision makers believe they will no longer rely on passwords 5 years from now, concerns remain around the complexities involved with rolling-out across the enterprise, yet they recognize the benefits of a passwordless strategy.
The problem with passwords
According to the latest Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches leverage stolen or weak passwords – up from 63 percent in 2016. Despite the approximate $80 billion spend in cybersecurity, our survey shows that 50 percent of organizations are using password-only solutions today and 14 percent think they will be still using password-only in 5 years from now.
The reality is that users not only keep passwords simple, but they also continue to reuse them across multiple sites. And while no system is 100 percent secure, our reliance on the password as a primary method of authentication is making it too easy for cybercriminals to compromise credentials and use them to their advantage.
Organizations have attempted to mitigate password risk by implementing stronger password complexity and requiring more frequent password changes. While valiant efforts, these approaches increase helpdesk costs and user frustration, and most importantly, they are not enough. They cannot deliver the security organizations need.
There is no denying that we need to remove our dependency on passwords, but what would that look like?
Organizations recognize the benefits to passwordless
In the passwordless future, compromised credentials are useless to attackers; there are fewer daily disruptions for users; users spend less time logging in, and there are no time-consuming and costly password reset calls. Organizations recognize the benefits of going passwordless – 57 percent of respondents say eliminating the risk of stolen credentials being used by attackers is a benefit, and 56 percent say removing the human factors is another benefit. Respondents also said productivity improvements (45 percent), eliminating requirements for complex passwords (40 percent) and eliminating costs (36 percent) are benefits of going passwordless.
SecureAuth’s passwordless authentication provides greater identity confidence with a better user experience. No password means no password resets, ultimately leading to happier users and cost savings. Calculate your savings using our password reset savings calculator.
So, what can you do?
While organizations may anticipate a passwordless future, many respondents say there are concerns with a passwordless strategy. Standing in their way are the concerns of the ability to roll-out across all apps and resources (23 percent), user adoption (17 percent), as well as impact to compliance (12 percent). The survey shows that IT professionals also have concerns about user willingness.
While there is sound cause for pause, passwordless will not happen overnight. However, organizations can strengthen their security posture by putting adaptive authentication techniques in place today that reduces reliance on passwords while laying the groundwork for a passwordless future. Nearly half (46 percent) of respondents trust multi-factor authentication method, layered with a fingerprint biometric and adaptive risk-based analysis, and a lowly 10 percent would trust a password.
Environments in the enterprise are complex, and while passwordless offers improved security and user experience, many organizations are not quite ready to make the jump. Organizations that are going to keep the password, should add additional layers of security such as two-factor authentication and adaptive authentication, at the very least. It’s time for organizations to recognize that a password-only solution is not a secure option, and shouldn’t be an option at all.
Passwordless is a journey and it can start with adding adaptive authentication today.
Read the full article here: SC Magazine Market Focus: Moving from MFA to Passwordless