March 06, 2019
March 06, 2019
Contributor: Gloria Omale
Eliminate centrally managed passwords for better security, fewer breaches, lower support costs and enhanced user experience.
Despite their weaknesses, passwords are still widely used. Easy-to-guess and reused legacy passwords are vulnerable to a wide range of attacks and, by themselves, do not provide proper security for sensitive systems and confidential information.
While eliminating passwords has been a long-standing goal, it is finally seeing real traction in the marketplace.
“During the past year, we have seen a small increase in client inquiries specifically citing ‘passwordless’ and an increase in inquiries about other passwordless approaches,” says Ant Allan, Vice President Analyst, Gartner. “By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”
Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organizations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organizations, there’s no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.
Security and identity and access management (IAM) leaders can implement a passwordless approach in two ways.
Biometric authentication such as touch ID is a common way of going passwordless. It is now widely deployed in mobile banking apps, and is making its way into other customer and enterprise applications.
Other options include passwordless knowledge methods, such as pattern-based, one-time password methods; tokens, including phone-as-a-token modes, as a single factor; and Fast IDentity Online (FIDO) Universal Authentication Framework (UAF), which enables passwordless authentication via a method local to a person’s device.
Current mainstream strong authentication solutions are two-factor authentication (2FA) solutions that add some kind of token to an existing password. Recently, vendors have come to market with 2FA solutions that are passwordless by default, providing a single-step 2FA that can combine mobile push with a local PIN or device-native biometric mode to create sufficient trust in medium-risk use cases.
Non-native biometric modes provide more in a single-step 2FA, as they are independent of the phone’s power-on passcode, provide organizations with control over whose biometric data is being stored, and typically provide better protection against attacks using images or recordings. These advantages are critical when mobile push is being used to authenticate access from a smartphone.
Although it’s not always possible to completely eliminate passwords from legacy implementations, Gartner recommends that organizations prioritize assessing and implementing more robust passwordless authentication methods. In doing so, organizations will improve security and user experience.
Connect with the world’s leading security and risk management leaders with Gartner experts to establish an agile security program and deliver business value.
Recommended resources for Gartner clients*:
*Note that some documents may not be available to all Gartner clients.