Identity, Breach, Network Security, Distributed Workforce, Decentralized identity and verifiable credentials

Passwordless Authentication: Getting Started on Your Passwordless Journey: Part 1

Today’s columnist, Don Shin of Secret Double Octopus, writes that while some purists want to eliminate all passwords, offload password management to the admins via Passwordless MFA may be more practical.

Despite their unavoidable flaws, most organizations still require both employees and customers to use passwords. Yet passwordless solutions are both demonstrably more secure and readily available.

So why don't more enterprises get rid of passwords? Here's what might be holding up your passwordless transition — and why now is the right time to go passwordless.

Passwords: Why aren't they enough?

  • As of 2022, the most common password is still 12345
  • Most passwords are easily compromised
  • Too many vulnerabilities

Most passwords are fundamentally insecure because they're too short or too easy to guess. Attackers can use brute force attacks, password crackers, data dumps and other means to acquire or crack a password.

In a white paper about passwordless authentication, Ping Identity states that "passwords are just bad … an accepted inconvenience that we've become numb to."

"Passwords are bad from a user-experience perspective, and bad from a security perspective," Sam Brown, solutions marketing manager at Ping Identity, told us. "They're not user-friendly. Passwords can be made secure by being long and complex, but then you can't remember them. Users can't remember all those passwords and they can't securely store them anywhere, even on a notepad."

Password-based authentication is an easy target

Passwords are the most simple form of authentication, consisting solely of text entry and a database lookup. This is also how many attackers compromise passwords: Brute force text entry and data dumps are prime routes for an exploit.

An "uncrackable" password currently needs to be about 15 characters long. Unless they're using password managers, many people will choose to instead use unsafe passwords that they can read and remember.

Most people have too many online accounts — upwards of 200 per a 2020 Digital Shadows report — which leads to nearly unavoidable password reuse. A 2020 PC Magazine survey found that only 30% of respondents did NOT reuse at least some passwords.

The traditional password is highly susceptible to compromise for these reasons. A motivated attacker is not going to be deterred by the special characters employees have added to the "same-new" passwords they've used for the last 10 years.

Security improvements?

There are different ways to try to create a more secure traditional password, but these methods are not foolproof. Hashed passwords that have been run through mathematical algorithms can often be reversed or cracked due to outmoded encoding algorithms and "rainbow tables" that spot patterns among the hashes.

Even passwords that aren't caught up in data breaches aren't immune — phishing attacks to dupe users into revealing their passwords work disturbingly well.

The low computational cost of handling passwords also makes for easy automated attacks upon online accounts. These can include "brute forcing" — trying thousands of possible passwords, starting with the most commonly used ones — or "credential stuffing," in which thousands of legitimate username-password combinations are used to hammer website login pages, in the expectation that a few will work.

The effects of password misuse are dire. The 2022 Verizon Data Breach Investigations Report finds that more than 80% of basic data breaches "can be attributed to stolen credentials," and about 10% using brute-force attacks. Meanwhile, less than 20% of breaches involved exploited vulnerabilities.

Data breaches involving stolen credentials have a direct impact on enterprises, even those that may never have suffered a data breach. The stringent rules imposed by the European Union's GDPR and California's CCPA are designed to hold companies responsible for sloppy protections of consumer information, including passwords. Meanwhile, the vulnerability of employee credentials to theft and misuse is a constant threat.

"Passwords are an enormous security risk and source of friction for enterprises today, especially since remote work and digital customer experience have become top business priorities," states a Ping Identity guide to passwordless authentication.

Security problems with passwords are actually getting worse. The 2022 Verizon DBIR cites "an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years."

Meanwhile, attempts to make passwords more secure lead to user frustration. A 2021 survey by Ping Identity found that 56% of consumers reported abandoning an online service when login attempts became too difficult. Inside organizations, one-third of all IT department service tickets are related to password issues, according to a 2022 study jointly conducted by Yubico and Ping Identity.

Accordingly, Ping Identity claims that going passwordless "improves [customer] engagement, lowers abandonment rates and ultimately drives higher revenues," and also that "less time entering and resetting passwords means higher [employee] productivity and significantly less strain on helpdesks."

Why we still use passwords anyway

So why do almost all organizations continue to require passwords for their employees and customers? Everyone knows how passwords work, and every IT department knows how to implement them. That's a lot of built-in resistance to change right there, and a huge speed bump of technical debt to hurdle.

"There's fear of change, and passwords provide a false sense of comfort," Ping's Brown said.

The Ping Identity white paper points out that "using passwords is the path of least resistance for many organizations. In contrast, pursuing passwordless authentication may require some near-term user adoption and education challenges."

Compounding the problem is that going passwordless can take many different forms, depending on an organization's needs. While an entirely white-collar organization might be able to deploy fingerprint-based biometric authentication across its workforce using new laptops and smartphones, a company that has retail or manufacturing operations would probably find it more difficult to go passwordless.

"Passwordless is not a single solution per se, but rather one that requires integrations of multiple products and technologies [and] requires buy-in from various leaders throughout an organization," says Ping Identity's white paper. "Businesses are often confused about where to start and how to increase passwordless adoption amongst their users."

Switching from cheap software-based password authentication to hardware-based biometric authentication can be expensive. A company might have to replace older laptops with newer models that have built-in fingerprint readers, or issue hardware security keys that can cost up to $90 each to all employees. Imagine the cost of installing retina scanners on factory floors so that workers can access systems without taking off their work gloves.

The Ping/Yubico survey of enterprises found that while 100% of respondents said they recognized the value of going passwordless, 99% had not yet implemented it. Plus, "83% of those with no plans for passwordless authentication admit their organization is unsure how to implement this, and 33% say a lack of experience is a barrier to adoption."

Lastly, there's a semantic issue with the term "passwordless." The word "password" is nearly synonymous with "security" for millions of English speakers, and hence "passwordless" may be misunderstood as meaning weaker security. That's unfortunate, says Ping Identity, because "the ultimate goal is frictionless, secure authentication."

"A lot of organizations do know that going passwordless is good," said Brown. "The security benefits are obvious. But they basically just don't know how to get there."

Why the time is right to go passwordless

Despite the slow uptake of passwordless solutions, a recent Gartner report estimated that "by 2025, more than 50% of the workforce and more than 20% of customer authentication transactions will be passwordless."

The Ping/Yubico survey found that 65% of respondents said their organizations were "very likely to implement passwordless authentication" in the future, although many felt the transition might take several years. Biometrics were the preferred passwordless method of survey respondents, with about twice as many opting for that over hardware security keys; PINs were in the middle.

Gartner's 2025 estimate be a little over-optimistic, but there's no denying that passwordless solutions are being facilitated across the technology industry. In May 2022, Apple, Google and Microsoft jointly announced a commitment to make passwordless authentication, compliant with FIDO2 (Fast Identity Online) standards, available to most of their users within the coming year.

"This will simplify sign-ins across devices, websites, and applications no matter the platform — without the need for a single password," wrote Google's Sampath Srinivas in a blog post.

"When you sign into a website or app on your phone, you will simply unlock your phone — your account won't need a password anymore," Srinivas added. "To sign into a website on your computer, you'll just need your phone nearby and you'll simply be prompted to unlock it for access."

To safeguard the access of persons who lose their phones, the FIDO2 standard will utilize passkeys so that users can quickly transfer their account data to new phones. Looking a bit farther into the future, Ping Identity and others foresee greater use of passwordless decentralized identity, with which users can have digital wallets on their phones that will provide blockchain-verified identification to anyone who needs it.

Overall, the benefits of moving beyond passwords will outweigh the costs of conversion. Going truly passwordless, explains Ping Identity, means "that users and businesses never have to store passwords, thereby eliminating the risk of a password database being leaked or stolen. … [and] users no longer must go through the cumbersome process of creating passwords and keeping track of them."

See Part 2 of the passwordless journey here.

Paul Wagenseil

Paul Wagenseil is custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.