Are We Finally Ready to Eliminate Passwords?

by Steve Brasen, Research Director, Endpoint and Identity Management

Passwords have been the bane of user productivity since the dawn of computing. Everyone has experienced the frustration of being intensely focused on a project but suddenly blocked from accessing critical applications or data simply because they could not recall a password. By the time users have jumped through all the hoops necessary to reset password credentials (which could qualify as an aerobic exercise in many organizations), it is not uncommon for them to have completely forgotten what it was they needed to access in the first place. It is an unfortunate fact that human brains have not evolved to the point of reliably retaining a larger number of unique and complex text strings. As noted in EMA’s recent research report, “Passwordless Authentication: Bridging the Gap Between High-Security and Low-Friction Identity Management,” 90% of surveyed companies reported severe violations of password policies in just the last year. These violations include users who employ the same password for multiple accounts, failures to periodically change passwords, and incidents in which passwords are physically written down.

While passwords continue to be the most frequently applied method of user authentication, their use is decidedly in decline. With alternative authentication technologies—such as thumbprint readers and facial recognition scanners—now commonly built into user devices and the increasing availability of more secure passwordless approaches to authentication, it seems the world is poised to finally kick passwords to the curb once and for all. But are businesses ready to give up on password controls altogether, and is it really a good idea for them to do so?

The fundamental purpose of a password is to positively identify the user requesting access to IT resources. However, passwords make no true determination on the validity of the user, instead granting access to anyone who happens to know the text string (whether they are authorized or not). This discrepancy between purpose and function exposes a whole host of opportunities for exploitation by nefarious actors. Brute-force attacks can be used to systematically identify password strings, keystroke logging can capture exactly when users enter their passwords, and phishing schemes can trick users into sharing their passwords. Respondents to EMA’s survey overwhelmingly indicated that password-based controls are the least secure of all authentication options available today. By comparison, biometrics (e.g., solutions that identify users by scanning their face, finger, eye, voice, and/or behavior) and hardware tokens (also called security keys) were recognized as providing the best security.

While the technologies certainly exist that can transform digital workspaces with more secure and user-friendly identity and access controls, many organizations are reluctant to make the transition. The primary challenge, according to EMA survey respondents, derives from concerns over deploying passwordless authentication solutions. The general perception among non-adopters is that adapting non-password technologies to work with an increasing number of internal and cloud-hosted IT services would be difficult and time-consuming to achieve. However, the broad adoption of industry standards (including FIDO and SAML) are eliminating integration challenges and making it possible for passwordless authentication solutions to support access to thousands of IT services “out of the box.”

For now, the focus for the majority of organizations appears to be on reducing the number of passwords and the complexity of password management. Single sign-on (SSO) and password vaulting solutions are being popularly adopted for their ability to reduce the number of password challenges a user receives. These are viewed as fairly easy platforms to adopt because both can be layered on top of existing password controls. This is certainly a step in the right direction, but these approaches still require high-friction user interactions during initial password setups and reauthentication requests. Also, these solutions do little to address the security vulnerabilities inherent in passwords.

While it seems it will be necessary to put up with at least some passwords for the foreseeable future, organizations should not be deterred from adopting passwordless authentication technologies. Passwordless solutions boost user productivity, improve security effectiveness, and reduce management efforts and related costs. Organizations that adopt passwordless approaches will see enhancements to their business agility, workforce productivity, customer satisfaction, compliance attainment, security assurance, and user satisfaction. The adoption of passwordless technologies is a win for everyone, except malicious hackers seeking to exploit security weaknesses. Also, if it were up to me, I would personally prefer to never have to enter another useless and annoying password again.

Get key results from EMA’s research during the July 9 Password Authentication webinar.