Embrace a Passwordless Approach to Improve Security

Eliminate centrally managed passwords for better security, fewer breaches, lower support costs and enhanced user experience.

Despite their weaknesses, passwords are still widely used. Easy-to-guess and reused legacy passwords are vulnerable to a wide range of attacks and, by themselves, do not provide proper security for sensitive systems and confidential information.

While eliminating passwords has been a long-standing goal, it is finally seeing real traction in the marketplace.

“During the past year, we have seen a small increase in client inquiries specifically citing ‘passwordless’ and an increase in inquiries about other passwordless approaches,” says Ant Allan, Vice President Analyst, Gartner. “By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”

The CIO Executive Communication Guide

Speak the language of the C-suite to communicate the business value of IT

Get free e-book

Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organizations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organizations, there’s no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.

Security and identity and access management (IAM) leaders can implement a passwordless approach in two ways.

Replace a legacy password as the sole authentication factor

Biometric authentication such as touch ID is a common way of going passwordless. It is now widely deployed in mobile banking apps, and is making its way into other customer and enterprise applications.

Other options include passwordless knowledge methods, such as pattern-based, one-time password methods; tokens, including phone-as-a-token modes, as a single factor; and Fast IDentity Online (FIDO) Universal Authentication Framework (UAF), which enables passwordless authentication via a method local to a person’s device.

Read more: Aim for a Workable Password Policy, Not a Perfect One

Replace a legacy password as one factor in 2FA

Current mainstream strong authentication solutions are two-factor authentication (2FA) solutions that add some kind of token to an existing password. Recently, vendors have come to market with 2FA solutions that are passwordless by default, providing a single-step 2FA that can combine mobile push with a local PIN or device-native biometric mode to create sufficient trust in medium-risk use cases.

Non-native biometric modes provide more in a single-step 2FA, as they are independent of the phone’s power-on passcode, provide organizations with control over whose biometric data is being stored, and typically provide better protection against attacks using images or recordings. These advantages are critical when mobile push is being used to authenticate access from a smartphone.

Although it’s not always possible to completely eliminate passwords from legacy implementations, Gartner recommends that organizations prioritize assessing and implementing more robust passwordless authentication methods. In doing so, organizations will improve security and user experience.

Gartner clients can read more in the reports “Market Guide for User Authentication” and “Top Security and Risk Management Trends.”

Get Smarter

Gartner Security & Risk Management Summits

The latest insights on IT trends, evolving security tech and the ever-changing threat landscape.

Explore Gartner Conferences

Shift From Managing Risk and Security to Enabling Value Creation: SRM Leaders’ New Imperative

The moment has arrived for security and risk management leaders to act decisively to safeguard and support business objectives.

Read Free Gartner Research

Webinars

Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching