Everyone seems to want to stop using passwords. Security and IT professionals loathe them because they’re a key infiltration tool. Anyone who handles user experience dislikes passwords because they’re not very user friendly. Despite grumbling about passwords, they’ve been the main way we authenticate since the 1960s, mainly because no one has come up with a better alternative.
But that’s changing. In recent years passwordless authentication has gained traction at enterprises. Information security’s elevated role at organizations, support for passwordless authentication from a major technology vendor and complying with government regulations are causing enterprises to reconsider how they approach authentication and look into going passwordless.
Information security is a business priority
A security incident can cost a company revenue (see shipping company Maersk due to NotPetya), result in fines (see British Airways for violating GDPR), damage a brand (see Sony) or lead to executives losing their job (see Equifax’s CSO). Given these repercussions, board meetings now include discussions on information security.
Enterprise information security evolved from building walls to mitigating security risks. This includes not using passwords for authentication since they’re not ideal for protecting data. Passwords are frequently stolen in data breaches or phishing attacks and end up with threat actors who use them in other attacks. Just look at the 2019 Verizon Data Investigations Breach Report: 32 percent of the 41,686 security incidents it covered involved phishing and 29 percent involved stolen credentials. Even when threat actors have advanced exploits like EternalBlue at their disposal, leveraging usernames and passwords remains a key tactic.
Microsoft is adopting passwordless authentication (and expects others to follow)
Microsoft is replacing passwords with biometrics for employee access this year and expects other companies to follow suit within six years. “Passwords used to be the least bad option, but now with biometrics and behavioural analytics, Microsoft’s ambition is to eliminate passwords this year,” said Sian John, chief security adviser EMEA, Cyber Security Solutions Group, Microsoft, in June.
To encourage enterprise use of biometrics, the next major Windows 10 release will give people the option of using Windows Hello instead of a password to access Microsoft accounts. Given Microsoft’s clout, supporting passwordless authentication and providing the technology to eliminate passwords is likely to drive passwordless adoption, even if using Windows Hello may not be an option for enterprises with complex IT systems. At a minimum, Microsoft’s backing of passwordless authentication with biometrics legitimizes the approach.
Microsoft isn’t the only organization interested in ditching passwords. Gartner noted an uptick in passwordless inquiries from companies in 2018. The research firm predicted that by 2022, 60 percent of global companies and 90 percent of midsize companies will implement passwordless methods in more than half of use cases, up from 5 percent in 2018.
Getting right with the law
Meanwhile, the strong customer authentication (SCA) component of PSD2 in Europe, is making retailers, banks and payment providers reconsider how their customers approve online transactions. The challenge these organizations face is how to provide two-factor authentication without impeding the checkout process. One fear is that making shoppers type in a password could lead to high rates of shopping cart abandonment.
This reflection on authentication isn’t going smoothly. In June, the European Banking Authority allowed national regulators more time for SCA implementation after the payment industry said it couldn’t meet the Sept. 14 deadline. In the U.K., where retailers were concerned that SCA security solutions would be “jarring to consumer”, the Financial Conduct Authority extended the deadline by 18 months. Organizations are exploring passwordless authentication solutions to comply with SCA and get two-factor authentication right. Failing to do so could upset customers and drive them to competitors.
Now is the time to eliminate the password
Security concerns, industry support and regulations are creating a business case for passwordless authentication. From a security perspective, removing passwords decreases the attack surface. Security and IT professionals can point to Microsoft as an example of passwordless authentication’s validity. And not making customers use passwords offers a better user experience without sacrificing security.