How far are we from a passwordless future?

How far are we from a passwordless future?
(Image credit: Shutterstock)

This year, World Password Day served as a familiar reminder that businesses everywhere should examine the strength of their authentication practices. Passwords at log-in are no longer the only option for protecting access to systems, applications and devices – in fact, they haven’t been for some time. Despite inherent weaknesses, passwords endure because they can be used anywhere, on any device, at any time. Making a passwordless future a reality, with the promise of better protection and an improved user experience, will take a new global authentication standard implemented at scale by all the leading OS/browser vendors.

About the author

Jerrod Chong is Chief Solutions Officer at Yubico.

Even though a passwordless future will take a lot of work from a variety of players in the industry, we are starting to see passwordless become top of mind for the enterprise. In fact, Gartner predicts that 60 per cent of large and global enterprises will be passwordless for more than half of use cases by 2022. That rises to 90 per cent for midsize enterprises. While this proves passwordless is top of mind, are organisations really ready?

Larger attack surfaces

The number one reason for deploying multi-factor authentication (MFA) is to increase security and the rise in hybrid work environments of the past year has contributed to this. Indeed, nearly half (49 per cent) of those surveyed in a recent study indicated that they would be more likely to increase their use of 2FA/MFA for security reasons.

More devices accessing systems and applications from more locations expands the corporate IT estate, widening the potential attack surface. Companies will be well aware of the risk implications of this, but passwords were causing problems way before the acceleration of remote working. This widening attack surface also calls attention to the need for companies to protect all users, not just privileged users. Time and time again breaches prove that lower-level employees can leave an organisation vulnerable by being a 'way in' for adversaries.

Phishing, credential stuffing, and other cyber threats have posed a high risk of corporate data breaches for years. By making passwords the sole keys to the kingdom, corporations face consequences should those passwords become compromised.

The usability factor

Despite this, passwords endure. A clue as to why can be found in user behavior. There are compelling security reasons to use strong two-factor authentication (2FA), but it has to be convenient if it is to be adopted in large numbers. Mobile-based authenticators and SMS-based MFA are among the most adopted MFA technologies, but they rely on the registered person’s mobile being charged, in a reception area for mobile use and accurately copying across a one-time code. This inconvenience has been proven to be a barrier in adoption of SMS codes or ‘copy and paste’ one-time passcodes.

This points to a potential usability problem for organisations currently planning, or deploying, MFA solutions.

This notwithstanding, any reduction in our reliance on passwords is a step forward. By introducing something additional that the user knows (such as an answer to a question) or something they have (such as a one-time password or OTP), security is strengthened – but these measures don’t eliminate all risks. A memorable word/answer can be phished in the same way a password can, while an OTP sent using SMS can fall victim to ‘SIM-swap’ fraud, or a user could be tricked into providing it to someone they believe has a legitimate reason to have it. Even mobile push apps can be phished.

Additional factors can come from who a person is – a biometric identifier such as a fingerprint or facial anatomy – or what a person has, such as a hardware-based security key. These additional factors make it much harder for an attacker to remotely circumvent. Developments of recent years are easing enterprise adoption and implementation of MFA, and security standards like FIDO2 and WebAuthn are already supported by leading OS platforms and browsers (a technology stack of this scale is needed if we are ever going to reduce our reliance on passwords).

FIDO2, an open authentication standard, is an extension of FIDO U2F, offering the same level of high security based on public key cryptography and a highly phishing resistant protocol. WebAuthn is a core component of FIDO2 and the first globally accepted standard for web authentication. Together, they further the cause of MFA through accessible integration.

The path to stronger authentication

Enterprises considering where to begin should consider a hybrid approach to passwordless authentication, which won’t mean they have to overhaul all their current infrastructure. This is especially significant as so many corporate infrastructures comprise a mixture of legacy on-premise systems and private or public cloud-hosted services.

Hardware-based security keys that support multiple authentication protocols can provide a bridge to this passwordless journey. Administrators can allow for self-service enrollment. Security keys can also be pre-enrolled for users before distributing them to remote workers. Employees are more likely to get on-board with a new security approach that is easy to use and works out of the box without installing various additional software or apps. Furthermore, easy to enable self-service and self-recovery options makes for fewer demands on IT support.

There are encouraging signs that enterprises are taking steps towards a passwordless future but there is still much to do. World Password Day reminds us that password use is prevalent and still causing problems in the ongoing fight against cyberthreats. Companies investing in passwordless technology should consider usability, compatibility, and ease of implementation in addition to security when making their choices. With the right approach, strong MFA can better protect company networks and systems and provide a smooth authentication experience for users. Perhaps one day we’ll refer to it as World Passwordless Day…

Jerrod Chong is Chief Solutions Officer at Yubico.