Despite their weaknesses, passwords are still widely used. Easy-to-guess and reused legacy passwords are vulnerable to a wide range of attacks and, by themselves, do not provide proper security for sensitive systems and confidential information. While eliminating passwords has been a long-standing goal, it is finally seeing real traction in the marketplace.
During the past year, we have seen a small increase in client inquiries specifically citing passwordless and an increase in inquiries about other passwordless approaches. By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases, up from 5% in 2018.
Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organisations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organisations, there is no longer a need to store passwords, leading to better security, fewer breaches and lower support costs.
Security and identity and access management leaders can implement a passwordless approach in two ways.
Replace a legacy password as the sole authentication factor
Biometric authentication such as touch ID is a common way of going passwordless. It is now widely deployed in mobile banking apps, and is making its way into other customer and enterprise applications.
Other options include passwordless knowledge methods, such as pattern-based, one-time password methods; tokens, including phone-as-a-token modes, as a single factor; and Fast IDentity Online, Universal Authentication Framework, which enables passwordless authentication via a method local to a person’s device.
Replace a legacy password as one factor in 2FA
Current mainstream strong authentication solutions are two-factor authentication 2FA solutions that add some kind of token to an existing password. Recently, vendors have come to market with 2FA solutions that are passwordless by default, providing a single-step 2FA that can combine mobile push with a local PIN or device-native biometric mode to create sufficient trust in medium-risk use cases.
Non-native biometric modes provide more in a single-step 2FA, as they are independent of the phone’s power-on passcode, provide organisations with control over whose biometric data is being stored, and typically provide better protection against attacks using images or recordings. These advantages are critical when mobile push is being used to authenticate access from a smartphone.
Although it is not always possible to completely eliminate passwords from legacy implementations, Gartner recommends that organisations prioritise assessing and implementing more robust passwordless authentication methods. In doing so, organisations will improve security and user experience.
- Passwordless authentication, by its nature, eliminates the problem of using weak passwords.
- Vendors have come to market providing a single-step 2FA with sufficient trust in medium-risk use cases.
- Gartner recommends organisations prioritise assessing more robust passwordless authentication methods.
Businesses are starting to consider a passwordless environment set up by biometric or mobile device techniques, explains Ant Allan at Gartner.