Enterprises today are barely recognisable from those of 15 years ago, with the growth of cloud computing being the latest transformation in how businesses are run. Yet even as hackers become more sophisticated and data breaches become more common, most enterprises are still relying on an outdated technology as their first (and sometimes only) line of defence – the password.
With 80% of hacking-related data breaches caused by weak, stolen or misused passwords, the most effective solution is to deal with the root cause of the problem and eliminate the use of passwords themselves. Passwordless authentication provides a multitude of benefits from the old system of credentials, and more and more businesses are beginning to embrace a passwordless future. Here are five reasons why organisations are transforming to passwordless.
The central reason for passwordless authentication is that it offers a far greater degree of security.
Security protocols like SAML and OIDC offer an alternative, token-based authentication system, where an Identity Provider and Service Provider can securely verify a user’s identity, granting them access without the need for a password at all. This means that it can’t be compromised and distributed on the dark web, it can’t be phished from the user, and it can’t be transmitted through vulnerable channels such as SMS. With the average global cost of a data breach coming in at £2.76 million, passwordless authentication is proving an attractive and cost-effective method to mitigate the risk of financial and reputational damage a breach can cause.
Phishing attacks are growing at an alarming rate, more than doubling between 2019 and 2020. It remains the most common form of cybercrime, and as well as becoming more prevalent, the attacks have also become much more sophisticated. Highly relevant and personalised phishing emails increase the propensity for falling victim, and spoofed websites which capture credentials then forward and authenticate users with the legitimate website, make it harder to detect for the oblivious user.
With a token-based authentication system, there isn’t a password for the user to enter. While the security protocols involved in these solutions aren’t supported by all apps yet, there is a solution. Some IdPs will instead provide a ‘passwordless experience’, where a very strong password is automatically generated and entered by the IdP. Crucially, this password is not known to the user, so it can’t be compromised due to human error, while the IdP will recognise any false login pages as not belonging to the SP. As a result, the threat of phishing is essentially eliminated altogether.
Entering passwords every time a user needs to access a service might not seem like the most intensive task of the day, but with the huge number of cloud apps now in use in enterprises, that time adds up. Employees are spending increasing amounts of time entering and resetting passwords, which for enterprise organisations can add up to millions of pounds per year in lost productivity. With each password reset also costing an average of £50, it’s clear to see how passwordless authentication can help the bottom line.
While that inefficiency negatively impacts the business, it’s also a poor experience for the employees themselves. Studies have shown that the average employee uses anywhere from 9 to 36 cloud apps in their day-to-day work, with each one requiring separate credentials when passwordless Single Sign-On isn’t implemented. Instead, being able to access any app with a single click leads to a far smoother user experience – and a more efficient and productive workforce as a result.
The time spent resetting passwords isn’t just felt by employees – it puts a lot of needless strain on IT departments too. According to Gartner, up to 50% of all helpdesk calls were for password resets, wasting a huge amount of time and resources each year. The problem is that the huge number of passwords that employees have to remember when using large numbers of cloud apps is simply unmanageable for most people, making frequent resets inevitable. With passwordless authentication, the unnecessary password reset workload on IT departments is removed, driving efficiencies in IT.
Regulations such as UK GDPR and DPA (Data Protection Act) 2018 have added further risk to companies not taking the threat of data breaches seriously. Not only do enterprises risk downtime and huge reputational damage from a leak, but they also stand to face eye-watering fines – in the case of UK GDPR, up to £17.5 million or 4% of their annual global turnover.
In 2020, British Airways were handed a £18.9m fine for a previous data breach. While BA themselves weren’t responsible for the leak, the fact that they hadn’t taken sufficient security measures was considered enough justification for them to be fined regardless.
It’s not just regulators taking an interest in enterprise security, either – insurers are too. The recent growth of ransomware attacks has led to insurance premiums skyrocketing, and brokers demanding strict security measures from their clients as a result. With weak passwords being by far the most common vector for hackers, passwordless authentication provides enterprises with an excellent line of defence against data breaches and the compliance issues they can cause.
Find out more: How IAM can take your organisation from password-based to passwordless.