Despite their weaknesses, passwords are still widely used. Easy-to-guess and reused legacy passwords are vulnerable to a wide range of attacks and, by themselves, do not provide proper security for sensitive systems and confidential information.
While eliminating passwords has been a long-standing goal, it is finally seeing real traction in the marketplace.
“During the past year, we have seen a small increase in client inquiries specifically citing ‘passwordless’ and an increase in inquiries about other passwordless approaches,” says Ant Allan, Vice President Analyst, Gartner. “By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”
Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organizations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organizations, there’s no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.
Security and identity and access management (IAM) leaders can implement a passwordless approach in two ways.
Replace a legacy password as the sole authentication factor
Biometric authentication such as touch ID is a common way of going passwordless. It is now widely deployed in mobile banking apps, and is making its way into other customer and enterprise applications.
Other options include passwordless knowledge methods, such as pattern-based, one-time password methods; tokens, including phone-as-a-token modes, as a single factor; and Fast IDentity Online (FIDO) Universal Authentication Framework (UAF), which enables passwordless authentication via a method local to a person’s device.
Replace a legacy password as one factor in 2FA
Current mainstream strong authentication solutions are two-factor authentication (2FA) solutions that add some kind of token to an existing password. Recently, vendors have come to market with 2FA solutions that are passwordless by default, providing a single-step 2FA that can combine mobile push with a local PIN or device-native biometric mode to create sufficient trust in medium-risk use cases.
Non-native biometric modes provide more in a single-step 2FA, as they are independent of the phone’s power-on passcode, provide organizations with control over whose biometric data is being stored, and typically provide better protection against attacks using images or recordings. These advantages are critical when mobile push is being used to authenticate access from a smartphone.
Although it’s not always possible to completely eliminate passwords from legacy implementations, Gartner recommends that organizations prioritize assessing and implementing more robust passwordless authentication methods. In doing so, organizations will improve security and user experience.