July 25, 2019 By Lane Billings 4 min read

Passwords are a problem, and relying on them for user authentication is problematic. This has been an accepted truth in the infosec community for some time, yet credential-based methods are still ubiquitous.

The average person now has dozens of personal and business username/password combinations to keep track of and recycles those same passwords across multiple accounts, creating endless opportunities for exploitation and compromise. Why does this culture of poor password security persist when the options for passwordless authentication have never been stronger,cheaper or easier to use? What considerations are preventing IT teams that design identity management programs from implementing new methods?

A new Enterprise Management Associates (EMA) study on the identity management programs of 200 security professionals revealed that, when it comes to the design and implementation of identity management, people have good reasons for behaving the way they do. And while the majority of organizations still rely on username-and-password schemes for authentication, they’re aware of the pitfalls and devising plans to go passwordless.

Passwords Are Prevalent and Problematic

EMA queried security leaders on their identity management programs to understand the baseline behaviors and policies in place for authentication. The research found that passwords are prevalent, with 64 percent of organizations relying on them as a primary form of authentication. It also revealed that passwords are problematic, with 90 percent of organizations saying they had experienced a significant password policy violation in the last month.

Those violations came with severe consequences for the organizations, as 71 percent of survey respondents were able to directly correlate policy violations to specific penalties — including employee terminations, malware infections, compromised data, inability to meet regulatory compliance objectives, loss of customers and direct impacts to revenue generation.

Below are some highlights from the EMA report:

Which of the following types of authentication are currently in use in your organization?

Which of the following occurred due to a violation of your organization’s access management policy?

Approximately what percentage of employees in your organization have violated each of the following business password policies in the past year?

The Move to Passwordless: Planning for What’s Next

All of this damning data on passwords begs the question: If passwords are so problematic, why are they still so prevalent? EMA found that most organizations feel passwordless authentication methods are more secure than passwords. But the reasons for hesitating to adopt them were based on concerns spanning from people to processes.

Security leaders cited concerns about user training as well as integration with other management tools as the top worries holding them back from an investment in passwordless technology. Behind security management concerns, integration with cloud services and directory services emerged as top blockers for adoption.

Below are some additional findings:

Overall, which of the following best describes your impression of passwordless authentication processes as compared to traditional password-based authentication processes?

Indicate how technically challenging you believe each of the following would be for your organization to implement completely password-free authentication processes.

The Battle of Security Versus Convenience Is Over

There has long been a perception that authentication is a trade-off between two competing objectives: enterprise security and end user convenience. But that trade-off may no longer be necessary. In fact, biometric authentication methods such as facial recognition, thumbprints and retinal scans are seen by IT leaders as accomplishing both goals at once.

Furthermore, the EMA research indicated that decreasing the amount of friction imposed on authentication processes proportionally increases the level of security. Organizations that reduced friction in the authentication process saw a reduction in administrator time and efforts. In this way, low-friction, passwordless authentication approaches effectively align user and business requirements.

Average productivity improvement for types of authentication versus their perceived level of security

Clearing a Path to Passwordless Authentication

While organizations are more aware of the value of low-friction authentication, the chief inhibitor to passwordless solutions is the complexity of their deployment. In other words, many organizations are reluctant to introduce passwordless authentication because they believe it will be challenging to deploy or disruptive to business operations.

To help IT and security managers select the most effective solutions, EMA recommends using the four I’s to evaluate options for passwordless authentication:

  1. Intuitive— Solutions should be easy to onboard and simple to manage, requiring little or no end user training or administrator time to support.
  2. Informative — Holistic visibility should be enabled across the entire identity ecosystem to collect contextual data on users, devices, networks and hosted services. Information reports should be easily digestible to simplify the identification of potential risks or challenges to user experiences.
  3. Intelligent — Solutions should have intelligence technologies — such as analytics, machine learning and language processing — that collect identity data to determine the level of risk associated with enabling access. The number of authentication factors presented to the user should be dynamically determined based on the identified level of risk.
  4. Integrated — Solutions should leverage industry standards such as FIDO, SAML and Open ID Connect to enable integrations between authentication technologies and hosted services. Direct integration with service, system and security management platforms will further simplify administrative tasks and help consolidate access policy management.

To see more insights on the state of today’s identity management, register to download the “Full-Length EMA Research Report: Passwordless Authentication.”

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today