July 25, 2019 By Lane Billings 4 min read

Passwords are a problem, and relying on them for user authentication is problematic. This has been an accepted truth in the infosec community for some time, yet credential-based methods are still ubiquitous.

The average person now has dozens of personal and business username/password combinations to keep track of and recycles those same passwords across multiple accounts, creating endless opportunities for exploitation and compromise. Why does this culture of poor password security persist when the options for passwordless authentication have never been stronger,cheaper or easier to use? What considerations are preventing IT teams that design identity management programs from implementing new methods?

A new Enterprise Management Associates (EMA) study on the identity management programs of 200 security professionals revealed that, when it comes to the design and implementation of identity management, people have good reasons for behaving the way they do. And while the majority of organizations still rely on username-and-password schemes for authentication, they’re aware of the pitfalls and devising plans to go passwordless.

Passwords Are Prevalent and Problematic

EMA queried security leaders on their identity management programs to understand the baseline behaviors and policies in place for authentication. The research found that passwords are prevalent, with 64 percent of organizations relying on them as a primary form of authentication. It also revealed that passwords are problematic, with 90 percent of organizations saying they had experienced a significant password policy violation in the last month.

Those violations came with severe consequences for the organizations, as 71 percent of survey respondents were able to directly correlate policy violations to specific penalties — including employee terminations, malware infections, compromised data, inability to meet regulatory compliance objectives, loss of customers and direct impacts to revenue generation.

Below are some highlights from the EMA report:

Which of the following types of authentication are currently in use in your organization?

Which of the following occurred due to a violation of your organization’s access management policy?

Approximately what percentage of employees in your organization have violated each of the following business password policies in the past year?

The Move to Passwordless: Planning for What’s Next

All of this damning data on passwords begs the question: If passwords are so problematic, why are they still so prevalent? EMA found that most organizations feel passwordless authentication methods are more secure than passwords. But the reasons for hesitating to adopt them were based on concerns spanning from people to processes.

Security leaders cited concerns about user training as well as integration with other management tools as the top worries holding them back from an investment in passwordless technology. Behind security management concerns, integration with cloud services and directory services emerged as top blockers for adoption.

Below are some additional findings:

Overall, which of the following best describes your impression of passwordless authentication processes as compared to traditional password-based authentication processes?

Indicate how technically challenging you believe each of the following would be for your organization to implement completely password-free authentication processes.

The Battle of Security Versus Convenience Is Over

There has long been a perception that authentication is a trade-off between two competing objectives: enterprise security and end user convenience. But that trade-off may no longer be necessary. In fact, biometric authentication methods such as facial recognition, thumbprints and retinal scans are seen by IT leaders as accomplishing both goals at once.

Furthermore, the EMA research indicated that decreasing the amount of friction imposed on authentication processes proportionally increases the level of security. Organizations that reduced friction in the authentication process saw a reduction in administrator time and efforts. In this way, low-friction, passwordless authentication approaches effectively align user and business requirements.

Average productivity improvement for types of authentication versus their perceived level of security

Clearing a Path to Passwordless Authentication

While organizations are more aware of the value of low-friction authentication, the chief inhibitor to passwordless solutions is the complexity of their deployment. In other words, many organizations are reluctant to introduce passwordless authentication because they believe it will be challenging to deploy or disruptive to business operations.

To help IT and security managers select the most effective solutions, EMA recommends using the four I’s to evaluate options for passwordless authentication:

  1. Intuitive— Solutions should be easy to onboard and simple to manage, requiring little or no end user training or administrator time to support.
  2. Informative — Holistic visibility should be enabled across the entire identity ecosystem to collect contextual data on users, devices, networks and hosted services. Information reports should be easily digestible to simplify the identification of potential risks or challenges to user experiences.
  3. Intelligent — Solutions should have intelligence technologies — such as analytics, machine learning and language processing — that collect identity data to determine the level of risk associated with enabling access. The number of authentication factors presented to the user should be dynamically determined based on the identified level of risk.
  4. Integrated — Solutions should leverage industry standards such as FIDO, SAML and Open ID Connect to enable integrations between authentication technologies and hosted services. Direct integration with service, system and security management platforms will further simplify administrative tasks and help consolidate access policy management.

To see more insights on the state of today’s identity management, register to download the “Full-Length EMA Research Report: Passwordless Authentication.”

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today