Passwords are a problem, and relying on them for user authentication is problematic. This has been an accepted truth in the infosec community for some time, yet credential-based methods are still ubiquitous.

The average person now has dozens of personal and business username/password combinations to keep track of and recycles those same passwords across multiple accounts, creating endless opportunities for exploitation and compromise. Why does this culture of poor password security persist when the options for passwordless authentication have never been stronger,cheaper or easier to use? What considerations are preventing IT teams that design identity management programs from implementing new methods?

A new Enterprise Management Associates (EMA) study on the identity management programs of 200 security professionals revealed that, when it comes to the design and implementation of identity management, people have good reasons for behaving the way they do. And while the majority of organizations still rely on username-and-password schemes for authentication, they’re aware of the pitfalls and devising plans to go passwordless.

Passwords Are Prevalent and Problematic

EMA queried security leaders on their identity management programs to understand the baseline behaviors and policies in place for authentication. The research found that passwords are prevalent, with 64 percent of organizations relying on them as a primary form of authentication. It also revealed that passwords are problematic, with 90 percent of organizations saying they had experienced a significant password policy violation in the last month.

Those violations came with severe consequences for the organizations, as 71 percent of survey respondents were able to directly correlate policy violations to specific penalties — including employee terminations, malware infections, compromised data, inability to meet regulatory compliance objectives, loss of customers and direct impacts to revenue generation.

Below are some highlights from the EMA report:

Which of the following types of authentication are currently in use in your organization?

Which of the following occurred due to a violation of your organization’s access management policy?

Approximately what percentage of employees in your organization have violated each of the following business password policies in the past year?

The Move to Passwordless: Planning for What’s Next

All of this damning data on passwords begs the question: If passwords are so problematic, why are they still so prevalent? EMA found that most organizations feel passwordless authentication methods are more secure than passwords. But the reasons for hesitating to adopt them were based on concerns spanning from people to processes.

Security leaders cited concerns about user training as well as integration with other management tools as the top worries holding them back from an investment in passwordless technology. Behind security management concerns, integration with cloud services and directory services emerged as top blockers for adoption.

Below are some additional findings:

Overall, which of the following best describes your impression of passwordless authentication processes as compared to traditional password-based authentication processes?

Indicate how technically challenging you believe each of the following would be for your organization to implement completely password-free authentication processes.

The Battle of Security Versus Convenience Is Over

There has long been a perception that authentication is a trade-off between two competing objectives: enterprise security and end user convenience. But that trade-off may no longer be necessary. In fact, biometric authentication methods such as facial recognition, thumbprints and retinal scans are seen by IT leaders as accomplishing both goals at once.

Furthermore, the EMA research indicated that decreasing the amount of friction imposed on authentication processes proportionally increases the level of security. Organizations that reduced friction in the authentication process saw a reduction in administrator time and efforts. In this way, low-friction, passwordless authentication approaches effectively align user and business requirements.

Average productivity improvement for types of authentication versus their perceived level of security

Clearing a Path to Passwordless Authentication

While organizations are more aware of the value of low-friction authentication, the chief inhibitor to passwordless solutions is the complexity of their deployment. In other words, many organizations are reluctant to introduce passwordless authentication because they believe it will be challenging to deploy or disruptive to business operations.

To help IT and security managers select the most effective solutions, EMA recommends using the four I’s to evaluate options for passwordless authentication:

  1. Intuitive— Solutions should be easy to onboard and simple to manage, requiring little or no end user training or administrator time to support.
  2. Informative — Holistic visibility should be enabled across the entire identity ecosystem to collect contextual data on users, devices, networks and hosted services. Information reports should be easily digestible to simplify the identification of potential risks or challenges to user experiences.
  3. Intelligent — Solutions should have intelligence technologies — such as analytics, machine learning and language processing — that collect identity data to determine the level of risk associated with enabling access. The number of authentication factors presented to the user should be dynamically determined based on the identified level of risk.
  4. Integrated — Solutions should leverage industry standards such as FIDO, SAML and Open ID Connect to enable integrations between authentication technologies and hosted services. Direct integration with service, system and security management platforms will further simplify administrative tasks and help consolidate access policy management.

To see more insights on the state of today’s identity management, register to download the “Full-Length EMA Research Report: Passwordless Authentication.”

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…