Passwords are profoundly unpopular. They represent a major hassle for users, who are often required to keep track of unique, complex passwords for hundreds of different accounts. And they create significant costs for organizations that must pay help desks to assist users as they reset their passwords over and over again. To make matters even worse, passwords remain one of the most vulnerable authentication methods available.
“The need to manage passwords and overcome problems related to them leads to massive frustration and lost productivity,” writes Jeremy Salzberg, chief security technologist for CDW.
Because of the limitations and unpopularity of passwords, experts have been predicting their end for decades, but they’re still here. However, some advances in authentication technologies, including biometrics, the browser-based Web Authentication API and push notifications may offer an avenue for some organizations to finally go passwordless.
Click the banner below to learn why identity access solutions can help your organization.
The Promise of Passwordless Authentication
The weakness of passwords has become more of an issue in recent years, as cybercriminals have started using tools such as artificial intelligence to enhance their attacks. AI not only can be used in common attack techniques such as phishing but also for cracking passwords. Theft is another significant vulnerability for passwords; a March 2024 Keeper report revealed that 52% of IT leaders said their companies’ IT teams struggle with frequently stolen passwords.
The prospect of no longer having to deal with passwords holds significant appeal for IT professionals and users. In fact, 56% of internet users said they are excited about passwordless authentication, according to a 2023 Bitwarden survey.
This excitement is well founded, as organizations can see significant benefits from going passwordless. According to security vendor Cyberark, “Passwordless Authentication strengthens security by eliminating risky password management practices and reducing attack vectors. It also improves user experiences by eliminating password and secrets fatigue.”
Tools That Support Passwordless Authentication
A variety of technologies have emerged to help companies achieve their passwordless objectives. One key example is biometric authentication. According to security vendor Okta, “Biometric authentication is a security process that uses unique biological characteristics like fingerprints, eye patterns, facial recognition, and voice analysis to confirm and verify a person’s identity before granting them access to a physical space or digital system.”
Biometric solutions can provide a higher level of security because the unique identifiers they rely on are difficult to replicate or hack. They also are generally faster and more convenient for users than many other authorization techniques, which improves the user experience. This also makes it simpler for a company to implement continuous authentication, where identity is verified at regular intervals while users are logged in to a system, improving security.
Push notifications are another tool for passwordless authentication. Solutions such as Microsoft Authenticator can send a push notification to a user’s registered mobile device. The notification includes details about the authentication attempt and enables the user to approve or deny it.
RELATED: How identity and access management solutions can users access data securely.
Passwordless authentication can also be enabled by the Web Authentication API (also known as WebAuthn). This application programming interface, which was created by the FIDO Alliance and World Wide Web Consortium, enables an organization to authenticate users via public key cryptography instead of passwords. By creating a private-public key pair, the API allows a server to deploy strong authenticators built into devices to verify the identity of authorized users.
Several other tools can also help organizations establish passwordless authentication, including smart cards, QR codes and mobile one-time passcode generators such as Google Authenticator. Experts suggest organizations should start looking now at how they may deploy solutions such as these to finally rid themselves of the headaches that passwords have created for decades.
“Ultimately, the time for passwordless authentication is here, and organizations should start moving toward it,” CDW’s Salzberg writes. “We still face some challenges to getting rid of passwords altogether, and we need to ensure we are using the most secure multifactor authentication options for our most critical systems.”
