The annual costs of cybercrime are estimated to continue to grow at 15% each year until 2025. With high-profile attacks on organisations frequently in the news, there’s a clear common factor in many of the most prominent data breaches – passwords.
Passwords are the oldest form of digital authentication and remain by far the most common today. They’re easy to understand, simple to implement, and are used to protect almost anything from bank accounts to social media and sensitive corporate data. But they’re also one of the least secure forms of authentication and were a factor in over half of data breaches last year, according to Verizon.
The reasons are simple – employees have too many credentials to memorise to effectively maintain strong password policies. With the average enterprise using 277 different cloud apps, remembering strong, unique passwords for each of them isn’t practical. Instead, users resort to insecure practices such as reusing passwords, writing them down, or making them very weak and easy to exploit by brute-force attacks.
While there are multiple methods that aim mitigate these weaknesses, the most effective is to address the root cause of the problem and remove passwords altogether. By replacing credentials with other forms of identification such as biometrics or secure tokens using open security standards such as SAML and OIDC, there are no passwords to be stolen, phished, or brute forced. Passwordless authentication is clearly the best way forward for organisations – so why do passwords remain so common?
Support for Passwordless Authentication
The death of the password has been predicted on numerous occasions, notably by Bill Gates at the 2004 RSA Security Conference, but the number of passwords in use continues to grow every year and remains the default for user authentication.
One reason that passwords have persisted in popularity is that the security protocols typically required to achieve passwordless authentication for corporate applications, such as SAML and OIDC, are not always supported by all applications. Providing support for passwordless authentication may be on a list of features yet to be rolled out, prohibitive or a low priority for development teams, or legacy applications may no longer be updated. While newer applications are more likely to provide support for passwordless authentication, some applications require a premium or higher-tier subscription in order to deploy SAML or other passwordless technologies, excluding clients on free or lower tiers.
As a result, organisations are often forced to persist with passwords as an authentication method on the overwhelming majority of their applications for the time being. Instead, they rely on other methods to mitigate the security risks of credentials, such as Multi-Factor Authentication, cybersecurity training, and implementing corporate password policies. However, none of these methods are as effective as solving the problem of passwords themselves.
How organisations can enable a passwordless experience today
Where passwordless authentication protocols are supported, IAM solutions can deploy passwordless Single Sign-On to applications today and organisations can begin to realise the benefits immediately. However, where a lack of support for passwordless authentication by the application means that passwords are still required, at least in the short term, organisations do have an alternative to provide a passwordless experience with many of the principal security benefits. An Identity and Access Management (IAM) solution incorporating Enterprise Password Management can generate credentials that are unique, high-entropy, undisclosed to users, and set these passwords on 3rd party applications, and automatically enter these into login forms upon the user accessing applications. This approach has many of the same benefits as passwordless authentication:
- Automatically generated passwords can be undisclosed to users. Users cannot be compromised in a credential phishing attack if they are unaware of what the passwords are.
- The generated passwords are random and unique, ensuring that credentials compromised in historic data breaches for sale on the dark web are not reused for corporate accounts
- As automatically generated passwords can be undisclosed to users, ex-employees cannot retain passwords after leaving the organisation.
- Users are not responsible for remembering passwords, so no password resets are required for apps.
- Password complexity is no longer limited by users’ capacity to remember them, ensuring that brute force attacks are essentially impossible.
- Users’ workflow is significantly improved by no longer having to manually log into applications to do their job.
An IAM solution which provides both Passwordless authentication and Enterprise Password Management within its Single Sign-On (SSO) solution provides the same, passwordless end-user experience regardless of the functional difference – the user has simple and secure access to applications without the need to know or manage passwords. As password-based apps roll out support for passwordless security standards, having an SSO solution with this functionality in place enables the transition to passwordless for these apps to be seamless. For employees, the passwordless end-user experience remains consistent during the enterprise’s transition from password-based to passwordless, despite the authentication mechanism behind the scenes changing for the applications over time. This helps eliminate user friction, the need for additional training or changes in user workflow.
The implementation of IAM solutions to provide passwordless authentication and Enterprise Password Management for applications helps organisations minimise the risk of data breaches and increase employee productivity within one solution, while facilitating a simple transition to corporate-wide passwordless authentication as each app evolves to support passwordless.
Together with the benefits of a transition to passwordless, IAM provides additional benefits that enable centralised control and governance of the applications that hold corporate data. Users can be automatically onboarded and offboarded, saving time in IT departments and preventing security risks from former employees retaining access to corporate data. IAM ultimately puts the business in control of access to corporate data by ensuring that only the right people have access to the right resources, and only when needed, mitigating the risks of insecure passwords and end-user practices.
Find out how Identity & Access Management can help your organisation move to passwordless authentication.
