Passwords are a problem, and relying on them for user authentication is problematic. This has been an accepted truth in the infosec community for some time, yet credential-based methods are still ubiquitous.

The average person now has dozens of personal and business username/password combinations to keep track of and recycles those same passwords across multiple accounts, creating endless opportunities for exploitation and compromise. Why does this culture of poor password security persist when the options for passwordless authentication have never been stronger,cheaper or easier to use? What considerations are preventing IT teams that design identity management programs from implementing new methods?

A new Enterprise Management Associates (EMA) study on the identity management programs of 200 security professionals revealed that, when it comes to the design and implementation of identity management, people have good reasons for behaving the way they do. And while the majority of organizations still rely on username-and-password schemes for authentication, they’re aware of the pitfalls and devising plans to go passwordless.

Passwords Are Prevalent and Problematic

EMA queried security leaders on their identity management programs to understand the baseline behaviors and policies in place for authentication. The research found that passwords are prevalent, with 64 percent of organizations relying on them as a primary form of authentication. It also revealed that passwords are problematic, with 90 percent of organizations saying they had experienced a significant password policy violation in the last month.

Those violations came with severe consequences for the organizations, as 71 percent of survey respondents were able to directly correlate policy violations to specific penalties — including employee terminations, malware infections, compromised data, inability to meet regulatory compliance objectives, loss of customers and direct impacts to revenue generation.

Below are some highlights from the EMA report:

Which of the following types of authentication are currently in use in your organization?

Which of the following occurred due to a violation of your organization’s access management policy?

Approximately what percentage of employees in your organization have violated each of the following business password policies in the past year?

The Move to Passwordless: Planning for What’s Next

All of this damning data on passwords begs the question: If passwords are so problematic, why are they still so prevalent? EMA found that most organizations feel passwordless authentication methods are more secure than passwords. But the reasons for hesitating to adopt them were based on concerns spanning from people to processes.

Security leaders cited concerns about user training as well as integration with other management tools as the top worries holding them back from an investment in passwordless technology. Behind security management concerns, integration with cloud services and directory services emerged as top blockers for adoption.

Below are some additional findings:

Overall, which of the following best describes your impression of passwordless authentication processes as compared to traditional password-based authentication processes?

Indicate how technically challenging you believe each of the following would be for your organization to implement completely password-free authentication processes.

The Battle of Security Versus Convenience Is Over

There has long been a perception that authentication is a trade-off between two competing objectives: enterprise security and end user convenience. But that trade-off may no longer be necessary. In fact, biometric authentication methods such as facial recognition, thumbprints and retinal scans are seen by IT leaders as accomplishing both goals at once.

Furthermore, the EMA research indicated that decreasing the amount of friction imposed on authentication processes proportionally increases the level of security. Organizations that reduced friction in the authentication process saw a reduction in administrator time and efforts. In this way, low-friction, passwordless authentication approaches effectively align user and business requirements.

Average productivity improvement for types of authentication versus their perceived level of security

Clearing a Path to Passwordless Authentication

While organizations are more aware of the value of low-friction authentication, the chief inhibitor to passwordless solutions is the complexity of their deployment. In other words, many organizations are reluctant to introduce passwordless authentication because they believe it will be challenging to deploy or disruptive to business operations.

To help IT and security managers select the most effective solutions, EMA recommends using the four I’s to evaluate options for passwordless authentication:

  1. Intuitive— Solutions should be easy to onboard and simple to manage, requiring little or no end user training or administrator time to support.
  2. Informative — Holistic visibility should be enabled across the entire identity ecosystem to collect contextual data on users, devices, networks and hosted services. Information reports should be easily digestible to simplify the identification of potential risks or challenges to user experiences.
  3. Intelligent — Solutions should have intelligence technologies — such as analytics, machine learning and language processing — that collect identity data to determine the level of risk associated with enabling access. The number of authentication factors presented to the user should be dynamically determined based on the identified level of risk.
  4. Integrated — Solutions should leverage industry standards such as FIDO, SAML and Open ID Connect to enable integrations between authentication technologies and hosted services. Direct integration with service, system and security management platforms will further simplify administrative tasks and help consolidate access policy management.

To see more insights on the state of today’s identity management, register to download the “Full-Length EMA Research Report: Passwordless Authentication.”

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read